summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 00:16:14 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-07 14:04:08 -0700
commit15ab7dec17d686c38f2c82ac23a17cac5622322a (patch)
treeecf3f834d59b8157cf0cd326f7d2f213455a96d8
parent6e1b743a276651195be3cd68dff41e38426bf3ab (diff)
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes to read for its marker. We had been always trusting it, and never validating that it wouldn't cause us to write past the end of the buffer we allocated based on the reported text_size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/Xv.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
xvAttributeInfo Info;
int i;
+ /* keep track of remaining room for text strings */
+ size = rep.text_size;
+
for(i = 0; i < rep.num_attributes; i++) {
_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
ret[i].flags = (int)Info.flags;
ret[i].min_value = Info.min;
ret[i].max_value = Info.max;
ret[i].name = marker;
- _XRead(dpy, marker, Info.size);
- marker += Info.size;
+ if (Info.size <= size) {
+ _XRead(dpy, marker, Info.size);
+ marker += Info.size;
+ size -= Info.size;
+ }
(*num)++;
}
} else