summaryrefslogtreecommitdiff
path: root/src/Xv.c
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 00:16:14 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-07 14:04:08 -0700
commit15ab7dec17d686c38f2c82ac23a17cac5622322a (patch)
treeecf3f834d59b8157cf0cd326f7d2f213455a96d8 /src/Xv.c
parent6e1b743a276651195be3cd68dff41e38426bf3ab (diff)
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes to read for its marker. We had been always trusting it, and never validating that it wouldn't cause us to write past the end of the buffer we allocated based on the reported text_size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/Xv.c')
-rw-r--r--src/Xv.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
xvAttributeInfo Info;
int i;
+ /* keep track of remaining room for text strings */
+ size = rep.text_size;
+
for(i = 0; i < rep.num_attributes; i++) {
_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
ret[i].flags = (int)Info.flags;
ret[i].min_value = Info.min;
ret[i].max_value = Info.max;
ret[i].name = marker;
- _XRead(dpy, marker, Info.size);
- marker += Info.size;
+ if (Info.size <= size) {
+ _XRead(dpy, marker, Info.size);
+ marker += Info.size;
+ size -= Info.size;
+ }
(*num)++;
}
} else