diff options
| author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2016-10-04 14:56:38 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2016-10-04 14:56:38 +0000 |
| commit | d426f010a6c091515d0cbf38fc1b2776f6e0198c (patch) | |
| tree | 7f50c00d1d3b9fa596b258ce1e4e76d9c4fb221e /lib | |
| parent | cb198546ca81b1ff7bf90342429274e21eaafc5a (diff) | |
The validation of server responses avoids out of boundary accesses.
From Tobias Stoeckmann / Xorg Securiry adrvisory Oct 4, 2016.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libX11/src/FontNames.c | 23 | ||||
| -rw-r--r-- | lib/libX11/src/ListExt.c | 12 | ||||
| -rw-r--r-- | lib/libX11/src/ModMap.c | 3 |
3 files changed, 27 insertions, 11 deletions
diff --git a/lib/libX11/src/FontNames.c b/lib/libX11/src/FontNames.c index 6fc6b1272..2dbca40dc 100644 --- a/lib/libX11/src/FontNames.c +++ b/lib/libX11/src/FontNames.c @@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ if (rep.nFonts) { flist = Xmalloc (rep.nFonts * sizeof(char *)); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc(rlen + 1); /* +1 to leave room for last null-terminator */ @@ -93,11 +93,22 @@ int *actualCount) /* RETURN */ if (ch + length < chend) { flist[i] = ch + 1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *(unsigned char *)ch; - *ch = '\0'; /* and replace with null-termination */ - count++; - } else - flist[i] = NULL; + if (ch <= chend) { + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + Xfree(flist); + flist = NULL; + count = 0; + break; + } + } else { + Xfree(flist); + flist = NULL; + count = 0; + break; + } } } *actualCount = count; diff --git a/lib/libX11/src/ListExt.c b/lib/libX11/src/ListExt.c index 431ae6784..75f5f5428 100644 --- a/lib/libX11/src/ListExt.c +++ b/lib/libX11/src/ListExt.c @@ -55,7 +55,7 @@ char **XListExtensions( if (rep.nExtensions) { list = Xmalloc (rep.nExtensions * sizeof (char *)); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc (rlen + 1); /* +1 to leave room for last null-terminator */ @@ -80,9 +80,13 @@ char **XListExtensions( if (ch + length < chend) { list[i] = ch+1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *ch; - *ch = '\0'; /* and replace with null-termination */ - count++; + if (ch <= chend) { + length = *ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + list[i] = NULL; + } } else list[i] = NULL; } diff --git a/lib/libX11/src/ModMap.c b/lib/libX11/src/ModMap.c index a809aa291..49a5d08e8 100644 --- a/lib/libX11/src/ModMap.c +++ b/lib/libX11/src/ModMap.c @@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy) GetEmptyReq(GetModifierMapping, req); (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length < (INT_MAX >> 2) && + (rep.length >> 1) == rep.numKeyPerModifier) { nbytes = (unsigned long)rep.length << 2; res = Xmalloc(sizeof (XModifierKeymap)); if (res) |