Reject string longer than USHRT_MAX before sending them on the wire

The X protocol uses CARD16 values to represent the length so this would overflow. CVE-2021-31535
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2021-05-18 14:15:12 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2021-05-18 14:15:12 +0000
commit: cec017c41ec7f555b582f51b39ebaa42f219023a (patch)
tree: 54c7d5ef693ef2a6f3541ba8dd531fe903fd823e /lib/libX11/src/StName.c
parent: 31729957f1862f72fd51f80953b9efd13e744816 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/libX11/src/StName.c b/lib/libX11/src/StName.c
index 58b5a5a67..04bb3aa6a 100644
--- a/lib/libX11/src/StName.c
+++ b/lib/libX11/src/StName.c
@@ -27,6 +27,7 @@ in this Software without prior written authorization from The Open Group.
 #ifdef HAVE_CONFIG_H
 #include <config.h>
 #endif
+#include <limits.h>
 #include <X11/Xlibint.h>
 #include <X11/Xatom.h>
 
@@ -36,7 +37,9 @@ XStoreName (
     Window w,
     _Xconst char *name)
 {
-    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING,
+    if (strlen(name) >= USHRT_MAX)
+        return 0;
+    return XChangeProperty(dpy, w, XA_WM_NAME, XA_STRING, /*  */
 			   8, PropModeReplace, (_Xconst unsigned char *)name,
 			   name ? (int) strlen(name) : 0);
 }
@@ -47,6 +50,8 @@ XSetIconName (
     Window w,
     _Xconst char *icon_name)
 {
+    if (strlen(icon_name) >= USHRT_MAX)
+        return 0;
     return XChangeProperty(dpy, w, XA_WM_ICON_NAME, XA_STRING, 8,
                            PropModeReplace, (_Xconst unsigned char *)icon_name,
 			   icon_name ? (int) strlen(icon_name) : 0);
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2021-05-18 14:15:12 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2021-05-18 14:15:12 +0000
commit	cec017c41ec7f555b582f51b39ebaa42f219023a (patch)
tree	54c7d5ef693ef2a6f3541ba8dd531fe903fd823e /lib/libX11/src/StName.c
parent	31729957f1862f72fd51f80953b9efd13e744816 (diff)