From b3dc751212e5f2f6b5d263e009cc2b85e56bfdbf Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Thu, 7 Feb 2019 20:54:37 +0100
Subject: Buffer overflow with many arguments.

Command line arguments are copied into clientargv and serverargv without
verifying that enough space is available. A high amount of arguments can
therefore trigger a buffer overflow like this:

$ xinit $(seq 1 500)

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Walter Harms wharms@bfs,de
---
 xinit.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/xinit.c b/xinit.c
index f826b7a..06c92b2 100644
--- a/xinit.c
+++ b/xinit.c
@@ -151,7 +151,6 @@ main(int argc, char *argv[])
     register char **ptr;
     pid_t pid;
     int client_given = 0, server_given = 0;
-    int client_args_given = 0, server_args_given = 0;
     int start_of_client_args, start_of_server_args;
     struct sigaction sa, si;
 #ifdef __APPLE__
@@ -174,7 +173,8 @@ main(int argc, char *argv[])
     }
     start_of_client_args = (cptr - client);
     while (argc && strcmp(*argv, "--")) {
-        client_args_given++;
+        if (cptr > clientargv + sizeof(clientargv) / sizeof(*clientargv) - 2)
+            Fatalx("too many client arguments");
         *cptr++ = *argv++;
         argc--;
     }
@@ -202,7 +202,8 @@ main(int argc, char *argv[])
 
     start_of_server_args = (sptr - server);
     while (--argc >= 0) {
-        server_args_given++;
+        if (sptr > serverargv + sizeof(serverargv) / sizeof(*serverargv) - 2)
+            Fatalx("too many server arguments");
         *sptr++ = *argv++;
     }
     *sptr = NULL;
-- 
cgit v1.2.3


From 9a8b937bcfd84575e13039f316cbcb14c9729df4 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 3 Mar 2019 11:56:43 -0800
Subject: xinit 1.4.1

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 configure.ac | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/configure.ac b/configure.ac
index a1ca573..3530b7e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@ dnl Process this file with autoconf to create configure.
 
 # Initialize Autoconf
 AC_PREREQ([2.60])
-AC_INIT([xinit], [1.4.0],
+AC_INIT([xinit], [1.4.1],
         [https://gitlab.freedesktop.org/xorg/app/xinit/issues], [xinit])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([config.h])
-- 
cgit v1.2.3