summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 12:45:41 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-04 19:05:02 -0700
commitb69d6d51a82b1d1e8c68a233360acb742c879375 (patch)
tree0058aa795be45ef0f603356a5e24a0eda6c633db /src
parentf89cf306a60facdf102696840bc05acebd7d1772 (diff)
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never checked to make sure the length of the name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r--src/XF86DGA2.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
dev->mode.reserved1 = info.reserved1;
dev->mode.reserved2 = info.reserved2;
- dev->mode.name = (char*)(&dev[1]);
- _XRead(dpy, dev->mode.name, info.name_size);
+ if (info.name_size > 0 && info.name_size <= size) {
+ dev->mode.name = (char*)(&dev[1]);
+ _XRead(dpy, dev->mode.name, info.name_size);
+ dev->mode.name[info.name_size - 1] = '\0';
+ } else {
+ dev->mode.name = NULL;
+ _XEatDataWords(dpy, rep.length);
+ }
dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
dev->data = XDGAGetMappedMemory(screen);