From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 12:45:41 -0700 Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2] When reading the name strings for the mode off the network, we never checked to make sure the length of the name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XF86DGA2.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 90ca918..4d13677 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -444,8 +444,14 @@ XDGASetMode( dev->mode.reserved1 = info.reserved1; dev->mode.reserved2 = info.reserved2; - dev->mode.name = (char*)(&dev[1]); - _XRead(dpy, dev->mode.name, info.name_size); + if (info.name_size > 0 && info.name_size <= size) { + dev->mode.name = (char*)(&dev[1]); + _XRead(dpy, dev->mode.name, info.name_size); + dev->mode.name[info.name_size - 1] = '\0'; + } else { + dev->mode.name = NULL; + _XEatDataWords(dpy, rep.length); + } dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0; dev->data = XDGAGetMappedMemory(screen); -- 1.8.2.3