Properly validate server responses.

By validating length fields from server responses, out of boundary accesses and endless loops can be mitigated. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2016-09-25 22:31:34 +0200
committer: Matthieu Herrb <matthieu@herrb.eu> 2016-09-25 22:31:34 +0200
commit: 19a9cd607de73947fcfb104682f203ffe4e1f4e5 (patch)
tree: 5fbb89ac3f543a3b25d9eb9e85def0e19b174e9e /src/XGetBMap.c
parent: 2286282f965064176b3b1492646c6e2e0f4ab7dd (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/XGetBMap.c b/src/XGetBMap.c
index 002daba..13bb8c6 100644
--- a/src/XGetBMap.c
+++ b/src/XGetBMap.c
@@ -92,7 +92,8 @@ XGetDeviceButtonMapping(
 
     status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
     if (status == 1) {
-	if (rep.length <= (sizeof(mapping) >> 2)) {
+	if (rep.length <= (sizeof(mapping) >> 2) &&
+	    rep.nElts <= (rep.length << 2)) {
 	    unsigned long nbytes = rep.length << 2;
 	    _XRead(dpy, (char *)mapping, nbytes);
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2016-09-25 22:31:34 +0200
committer	Matthieu Herrb <matthieu@herrb.eu>	2016-09-25 22:31:34 +0200
commit	19a9cd607de73947fcfb104682f203ffe4e1f4e5 (patch)
tree	5fbb89ac3f543a3b25d9eb9e85def0e19b174e9e /src/XGetBMap.c
parent	2286282f965064176b3b1492646c6e2e0f4ab7dd (diff)