diff options
Diffstat (limited to 'main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch')
| -rw-r--r-- | main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch | 78 |
1 files changed, 0 insertions, 78 deletions
diff --git a/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch b/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch deleted file mode 100644 index 05c77504e..000000000 --- a/main/libxt/0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 9 Mar 2013 11:44:14 -0800 -Subject: [PATCH 2/2] unvalidated length in _XtResourceConfigurationEH - [CVE-2013-2002] - -The RCM_DATA property is expected to be in the format: - resource_length, resource, value - -If the property contains a resource_length thats results in a pointer -outside the property string, memory corruption can occur. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/ResConfig.c | 41 ++++++++++++++++++++++++++--------------- - 1 file changed, 26 insertions(+), 15 deletions(-) - -diff --git a/src/ResConfig.c b/src/ResConfig.c -index 68da536..1f3edbe 100644 ---- a/src/ResConfig.c -+++ b/src/ResConfig.c -@@ -971,26 +971,37 @@ _XtResourceConfigurationEH ( - * resource and value fields. - */ - if (data) { -+ char *data_end = data + nitems; -+ char *data_value; -+ - resource_len = Strtoul ((void *)data, &data_ptr, 10); -- data_ptr++; - -- data_ptr[resource_len] = '\0'; -+ if (data_ptr != (char *) data) { -+ data_ptr++; -+ data_value = data_ptr + resource_len; -+ } else /* strtoul failed to convert a number */ -+ data_ptr = data_value = NULL; -+ -+ if (data_value > data_ptr && data_value < data_end) { -+ *data_value++ = '\0'; - -- resource = XtNewString (data_ptr); -- value = XtNewString (&data_ptr[resource_len + 1]); -+ resource = XtNewString (data_ptr); -+ value = XtNewString (data_value); - #ifdef DEBUG -- fprintf (stderr, "resource_len=%d\n",resource_len); -- fprintf (stderr, "resource = %s\t value = %s\n", -- resource, value); -+ fprintf (stderr, "resource_len=%d\n" -+ resource_len); -+ fprintf (stderr, "resource = %s\t value = %s\n", -+ resource, value); - #endif -- /* -- * descend the application widget tree and -- * apply the value to the appropriate widgets -- */ -- _search_widget_tree (w, resource, value); -- -- XtFree (resource); -- XtFree (value); -+ /* -+ * descend the application widget tree and -+ * apply the value to the appropriate widgets -+ */ -+ _search_widget_tree (w, resource, value); -+ -+ XtFree (resource); -+ XtFree (value); -+ } - } - } - --- -1.8.2.3 - |