From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 14:33:32 -0700 Subject: memory corruption in XF86VidModeGetGammaRamp() [CVE-2013-2001] We trusted the server not to return more data than the client said it had allocated room for, and would overflow the provided buffers if it did. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XF86VMode.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) (limited to 'src') diff --git a/src/XF86VMode.c b/src/XF86VMode.c index bd54937..a32564e 100644 --- a/src/XF86VMode.c +++ b/src/XF86VMode.c @@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp ( XExtDisplayInfo *info = find_display (dpy); xXF86VidModeGetGammaRampReq *req; xXF86VidModeGetGammaRampReply rep; + Bool result = True; XF86VidModeCheckExtension (dpy, info, False); @@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp ( req->screen = screen; req->size = size; if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) { - UnlockDisplay (dpy); - SyncHandle (); - return False; + result = False; } - if(rep.size) { - _XRead(dpy, (char*)red, rep.size << 1); - _XRead(dpy, (char*)green, rep.size << 1); - _XRead(dpy, (char*)blue, rep.size << 1); + else if (rep.size) { + if (rep.size <= size) { + _XRead(dpy, (char*)red, rep.size << 1); + _XRead(dpy, (char*)green, rep.size << 1); + _XRead(dpy, (char*)blue, rep.size << 1); + } + else { + _XEatDataWords(dpy, rep.length); + result = False; + } } UnlockDisplay(dpy); SyncHandle(); - return True; + return result; } Bool XF86VidModeGetGammaRampSize( -- cgit v1.2.3