qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Avoid OOB write in XRenderQueryFilters

Browse Source 
The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.

The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.

From Tobias Stoeckmann / X.Org security advisory Oct 4, 2016
This commit is contained in:
matthieu 2016-10-04 15:03:48 +00:00
parent aebb61b811
commit 9f957a9f79
1 changed files with 12 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
lib/libXrender/src/Filter.c
View File

@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
char *name;
char len;
int i;
unsigned long nbytes, nbytesAlias, nbytesName;
unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
if (!RenderHasExtension (info))
return NULL;
@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
* Read the filter aliases
*/
_XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
reply_left = 8 + rep.length - 2 * rep.numAliases;;
/*
* Read the filter names
@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
{
int l;
_XRead (dpy, &len, 1);
reply_left--;
l = len & 0xff;
if ((unsigned long)l + 1 > nbytesName) {
_XEatDataWords(dpy, reply_left);
Xfree(filters);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
}
nbytesName -= l + 1;
filters->filter[i] = name;
_XRead (dpy, name, l);
reply_left -= l;
name[l] = '\0';
name += l + 1;
}