1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
|
From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 9 Mar 2013 11:44:14 -0800
Subject: [PATCH 2/2] unvalidated length in _XtResourceConfigurationEH
[CVE-2013-2002]
The RCM_DATA property is expected to be in the format:
resource_length, resource, value
If the property contains a resource_length thats results in a pointer
outside the property string, memory corruption can occur.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/ResConfig.c | 41 ++++++++++++++++++++++++++---------------
1 file changed, 26 insertions(+), 15 deletions(-)
diff --git a/src/ResConfig.c b/src/ResConfig.c
index 68da536..1f3edbe 100644
--- a/src/ResConfig.c
+++ b/src/ResConfig.c
@@ -971,26 +971,37 @@ _XtResourceConfigurationEH (
* resource and value fields.
*/
if (data) {
+ char *data_end = data + nitems;
+ char *data_value;
+
resource_len = Strtoul ((void *)data, &data_ptr, 10);
- data_ptr++;
- data_ptr[resource_len] = '\0';
+ if (data_ptr != (char *) data) {
+ data_ptr++;
+ data_value = data_ptr + resource_len;
+ } else /* strtoul failed to convert a number */
+ data_ptr = data_value = NULL;
+
+ if (data_value > data_ptr && data_value < data_end) {
+ *data_value++ = '\0';
- resource = XtNewString (data_ptr);
- value = XtNewString (&data_ptr[resource_len + 1]);
+ resource = XtNewString (data_ptr);
+ value = XtNewString (data_value);
#ifdef DEBUG
- fprintf (stderr, "resource_len=%d\n",resource_len);
- fprintf (stderr, "resource = %s\t value = %s\n",
- resource, value);
+ fprintf (stderr, "resource_len=%d\n"
+ resource_len);
+ fprintf (stderr, "resource = %s\t value = %s\n",
+ resource, value);
#endif
- /*
- * descend the application widget tree and
- * apply the value to the appropriate widgets
- */
- _search_widget_tree (w, resource, value);
-
- XtFree (resource);
- XtFree (value);
+ /*
+ * descend the application widget tree and
+ * apply the value to the appropriate widgets
+ */
+ _search_widget_tree (w, resource, value);
+
+ XtFree (resource);
+ XtFree (value);
+ }
}
}
--
1.8.2.3
|