blob: 70ed6aef783257ded45a8935eedc72a929288a08 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:45:41 -0700
Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XF86DGA2.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
dev->mode.reserved1 = info.reserved1;
dev->mode.reserved2 = info.reserved2;
- dev->mode.name = (char*)(&dev[1]);
- _XRead(dpy, dev->mode.name, info.name_size);
+ if (info.name_size > 0 && info.name_size <= size) {
+ dev->mode.name = (char*)(&dev[1]);
+ _XRead(dpy, dev->mode.name, info.name_size);
+ dev->mode.name[info.name_size - 1] = '\0';
+ } else {
+ dev->mode.name = NULL;
+ _XEatDataWords(dpy, rep.length);
+ }
dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
dev->data = XDGAGetMappedMemory(screen);
--
1.8.2.3
|
