summaryrefslogtreecommitdiff
path: root/src/XF86DGA2.c
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 12:45:41 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-04 19:05:02 -0700
commitb69d6d51a82b1d1e8c68a233360acb742c879375 (patch)
tree0058aa795be45ef0f603356a5e24a0eda6c633db /src/XF86DGA2.c
parentf89cf306a60facdf102696840bc05acebd7d1772 (diff)
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never checked to make sure the length of the name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/XF86DGA2.c')
-rw-r--r--src/XF86DGA2.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
dev->mode.reserved1 = info.reserved1;
dev->mode.reserved2 = info.reserved2;
- dev->mode.name = (char*)(&dev[1]);
- _XRead(dpy, dev->mode.name, info.name_size);
+ if (info.name_size > 0 && info.name_size <= size) {
+ dev->mode.name = (char*)(&dev[1]);
+ _XRead(dpy, dev->mode.name, info.name_size);
+ dev->mode.name[info.name_size - 1] = '\0';
+ } else {
+ dev->mode.name = NULL;
+ _XEatDataWords(dpy, rep.length);
+ }
dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
dev->data = XDGAGetMappedMemory(screen);