memory corruption in XF86VidModeGetGammaRamp() [CVE-2013-2001]

We trusted the server not to return more data than the client said it had
allocated room for, and would overflow the provided buffers if it did.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 13 insertions, 8 deletions

diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index bd54937..a32564e 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp (
     XExtDisplayInfo *info = find_display (dpy);
     xXF86VidModeGetGammaRampReq *req;
     xXF86VidModeGetGammaRampReply rep;
+    Bool result = True;
 
     XF86VidModeCheckExtension (dpy, info, False);
 
@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp (
     req->screen = screen;
     req->size = size;
     if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
-        UnlockDisplay (dpy);
-        SyncHandle ();
-        return False;
+        result = False;
     }
-    if(rep.size) {
-	_XRead(dpy, (char*)red, rep.size << 1);
-	_XRead(dpy, (char*)green, rep.size << 1);
-	_XRead(dpy, (char*)blue, rep.size << 1);
+    else if (rep.size) {
+	if (rep.size <= size) {
+	    _XRead(dpy, (char*)red, rep.size << 1);
+	    _XRead(dpy, (char*)green, rep.size << 1);
+	    _XRead(dpy, (char*)blue, rep.size << 1);
+	}
+	else {
+	    _XEatDataWords(dpy, rep.length);
+	    result = False;
+	}
     }
 
     UnlockDisplay(dpy);
     SyncHandle();
-    return True;
+    return result;
 }
 
 Bool XF86VidModeGetGammaRampSize(