blob: 9123d7f3baa5364ee3584af90010c1bb9ef2d6f5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:27:10 -0700
Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
When reading the name strings for the modes off the network, we never
checked to make sure the length of the individual name strings didn't
overflow the size of the buffer we'd allocated based on the reported
rep.length for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XF86DGA2.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 8830266..b5145ee 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
modes[i].reserved1 = info.reserved1;
modes[i].reserved2 = info.reserved2;
- _XRead(dpy, offset, info.name_size);
- modes[i].name = offset;
- offset += info.name_size;
+ if (info.name_size > 0 && info.name_size <= size) {
+ _XRead(dpy, offset, info.name_size);
+ modes[i].name = offset;
+ modes[i].name[info.name_size - 1] = '\0';
+ offset += info.name_size;
+ size -= info.name_size;
+ } else {
+ _XEatData(dpy, info.name_size);
+ modes[i].name = NULL;
+ }
}
*num = rep.number;
} else
--
1.8.2.3
|