From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 12:27:10 -0700 Subject: buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2] When reading the name strings for the modes off the network, we never checked to make sure the length of the individual name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XF86DGA2.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 8830266..b5145ee 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes( modes[i].reserved1 = info.reserved1; modes[i].reserved2 = info.reserved2; - _XRead(dpy, offset, info.name_size); - modes[i].name = offset; - offset += info.name_size; + if (info.name_size > 0 && info.name_size <= size) { + _XRead(dpy, offset, info.name_size); + modes[i].name = offset; + modes[i].name[info.name_size - 1] = '\0'; + offset += info.name_size; + size -= info.name_size; + } else { + _XEatData(dpy, info.name_size); + modes[i].name = NULL; + } } *num = rep.number; } else -- cgit v1.2.3