diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 00:16:14 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-07 14:04:08 -0700 |
commit | 15ab7dec17d686c38f2c82ac23a17cac5622322a (patch) | |
tree | ecf3f834d59b8157cf0cd326f7d2f213455a96d8 /src/Xv.c | |
parent | 6e1b743a276651195be3cd68dff41e38426bf3ab (diff) |
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/Xv.c')
-rw-r--r-- | src/Xv.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) xvAttributeInfo Info; int i; + /* keep track of remaining room for text strings */ + size = rep.text_size; + for(i = 0; i < rep.num_attributes; i++) { _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); ret[i].flags = (int)Info.flags; ret[i].min_value = Info.min; ret[i].max_value = Info.max; ret[i].name = marker; - _XRead(dpy, marker, Info.size); - marker += Info.size; + if (Info.size <= size) { + _XRead(dpy, marker, Info.size); + marker += Info.size; + size -= Info.size; + } (*num)++; } } else |