diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 12:45:41 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-04 19:05:02 -0700 |
commit | b69d6d51a82b1d1e8c68a233360acb742c879375 (patch) | |
tree | 0058aa795be45ef0f603356a5e24a0eda6c633db /src | |
parent | f89cf306a60facdf102696840bc05acebd7d1772 (diff) |
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/XF86DGA2.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 90ca918..4d13677 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -444,8 +444,14 @@ XDGASetMode( dev->mode.reserved1 = info.reserved1; dev->mode.reserved2 = info.reserved2; - dev->mode.name = (char*)(&dev[1]); - _XRead(dpy, dev->mode.name, info.name_size); + if (info.name_size > 0 && info.name_size <= size) { + dev->mode.name = (char*)(&dev[1]); + _XRead(dpy, dev->mode.name, info.name_size); + dev->mode.name[info.name_size - 1] = '\0'; + } else { + dev->mode.name = NULL; + _XEatDataWords(dpy, rep.length); + } dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0; dev->data = XDGAGetMappedMemory(screen); |