summaryrefslogtreecommitdiff
path: root/src/stubs/delfntcid.c
diff options
context:
space:
mode:
authorJeremy Huddleston Sequoia <jeremyhu@apple.com>2016-05-30 00:46:21 -0700
committerJeremy Huddleston Sequoia <jeremyhu@apple.com>2016-05-30 21:25:19 -0700
commit42d85d1293b2753f3f200de0e960bacef0c973c7 (patch)
tree35e816b456e1d17ff2492a6c35f2c7fedd60a1c1 /src/stubs/delfntcid.c
parent2b09a7af9f19db886567e524f978ad393593f7c0 (diff)
fserve: Fix a buffer read overrun in _fs_client_access
https://bugs.freedesktop.org/show_bug.cgi?id=83224 Found by clang's Address Sanitizer crac.num_auths = set_font_authorizations(&authorizations, &authlen, client); /* Work around bug in xfs versions up through modular release 1.0.8 which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ if (crac.num_auths == 0) { authorizations = padding; authlen = 4; } else { authlen = (authlen + 3) & ~0x3; } crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; crac.acid = cur->acid; _fs_add_req_log(conn, FS_CreateAC); _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); _fs_write(conn, authorizations, authlen); In the case in the report, set_font_authorizations setup authorizations as a 34 byte buffer (and authlen set to 34 as one would expect). The following block changed authlen to 36 to make it 4byte aligned and the final _fs_write() caused us to read 36 bytes from this 34 byte buffer. This changes the incorrect size increase to instead use _fs_write_pad which takes care of the padding for us. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561)
Diffstat (limited to 'src/stubs/delfntcid.c')
0 files changed, 0 insertions, 0 deletions