Reject string longer than USHRT_MAX before sending them on the wire

The X protocol uses CARD16 values to represent the length so this would overflow. CVE-2021-31535
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2021-05-18 14:15:12 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2021-05-18 14:15:12 +0000
commit: cec017c41ec7f555b582f51b39ebaa42f219023a (patch)
tree: 54c7d5ef693ef2a6f3541ba8dd531fe903fd823e /lib/libX11/src/LookupCol.c
parent: 31729957f1862f72fd51f80953b9efd13e744816 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/lib/libX11/src/LookupCol.c b/lib/libX11/src/LookupCol.c
index 9608d5121..12cf0793f 100644
--- a/lib/libX11/src/LookupCol.c
+++ b/lib/libX11/src/LookupCol.c
@@ -27,7 +27,9 @@ in this Software without prior written authorization from The Open Group.
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#include <limits.h>
 #include <stdio.h>
+#include <sys/limits.h>
 #include "Xlibint.h"
 #include "Xcmsint.h"
 
@@ -46,6 +48,9 @@ XLookupColor (
 	XcmsCCC ccc;
 	XcmsColor cmsColor_exact;
 
+	n = (int) strlen (spec);
+	if (n >= USHRT_MAX)
+            return 0;
 #ifdef XCMS
 	/*
 	 * Let's Attempt to use Xcms and i18n approach to Parse Color
@@ -79,6 +84,8 @@ XLookupColor (
 	 */
 
 	n = (int) strlen (spec);
+	if (n > SHRT_MAX)
+		return(0);
 	LockDisplay(dpy);
 	GetReq (LookupColor, req);
 	req->cmap = cmap;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2021-05-18 14:15:12 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2021-05-18 14:15:12 +0000
commit	cec017c41ec7f555b582f51b39ebaa42f219023a (patch)
tree	54c7d5ef693ef2a6f3541ba8dd531fe903fd823e /lib/libX11/src/LookupCol.c
parent	31729957f1862f72fd51f80953b9efd13e744816 (diff)