blob: 76a7024a2dfd6f2ef4ff3de986f6bc3fa2e8fee0 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
|
From 894a5825df6b9389f677ecdf5950c712f2a2c890 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 9 Mar 2013 23:37:23 -0800
Subject: [PATCH 05/16] memory corruption in _XIPassiveGrabDevice()
[CVE-2013-1998 2/3]
If the server returned more modifiers than the caller asked for,
we'd just keep copying past the end of the array provided by the
caller, writing over who-knows-what happened to be there.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 91434737f592e8f5cc1762383882a582b55fc03a)
(cherry picked from commit f0c0f2ff06c8f9ec36f3f344dda4bec71ca5698b)
---
src/XIPassiveGrab.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
index 34f1bf3..c64f6ae 100644
--- a/src/XIPassiveGrab.c
+++ b/src/XIPassiveGrab.c
@@ -85,7 +85,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
return -1;
_XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
- for (i = 0; i < reply.num_modifiers; i++)
+ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
{
modifiers_inout[i].status = failed_mods[i].status;
modifiers_inout[i].modifiers = failed_mods[i].modifiers;
--
1.7.7.1
|
