The validation of server responses avoids out of boundary accesses.
From Tobias Stoeckmann / Xorg Securiry adrvisory Oct 4, 2016.
This commit is contained in:
parent
cdbe6c3bc9
commit
bd2560e2ec
@ -66,7 +66,7 @@ int *actualCount) /* RETURN */
|
|||||||
|
|
||||||
if (rep.nFonts) {
|
if (rep.nFonts) {
|
||||||
flist = Xmalloc (rep.nFonts * sizeof(char *));
|
flist = Xmalloc (rep.nFonts * sizeof(char *));
|
||||||
if (rep.length < (INT_MAX >> 2)) {
|
if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
|
||||||
rlen = rep.length << 2;
|
rlen = rep.length << 2;
|
||||||
ch = Xmalloc(rlen + 1);
|
ch = Xmalloc(rlen + 1);
|
||||||
/* +1 to leave room for last null-terminator */
|
/* +1 to leave room for last null-terminator */
|
||||||
@ -93,11 +93,22 @@ int *actualCount) /* RETURN */
|
|||||||
if (ch + length < chend) {
|
if (ch + length < chend) {
|
||||||
flist[i] = ch + 1; /* skip over length */
|
flist[i] = ch + 1; /* skip over length */
|
||||||
ch += length + 1; /* find next length ... */
|
ch += length + 1; /* find next length ... */
|
||||||
|
if (ch <= chend) {
|
||||||
length = *(unsigned char *)ch;
|
length = *(unsigned char *)ch;
|
||||||
*ch = '\0'; /* and replace with null-termination */
|
*ch = '\0'; /* and replace with null-termination */
|
||||||
count++;
|
count++;
|
||||||
} else
|
} else {
|
||||||
flist[i] = NULL;
|
Xfree(flist);
|
||||||
|
flist = NULL;
|
||||||
|
count = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
Xfree(flist);
|
||||||
|
flist = NULL;
|
||||||
|
count = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
*actualCount = count;
|
*actualCount = count;
|
||||||
|
@ -55,7 +55,7 @@ char **XListExtensions(
|
|||||||
|
|
||||||
if (rep.nExtensions) {
|
if (rep.nExtensions) {
|
||||||
list = Xmalloc (rep.nExtensions * sizeof (char *));
|
list = Xmalloc (rep.nExtensions * sizeof (char *));
|
||||||
if (rep.length < (INT_MAX >> 2)) {
|
if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
|
||||||
rlen = rep.length << 2;
|
rlen = rep.length << 2;
|
||||||
ch = Xmalloc (rlen + 1);
|
ch = Xmalloc (rlen + 1);
|
||||||
/* +1 to leave room for last null-terminator */
|
/* +1 to leave room for last null-terminator */
|
||||||
@ -80,9 +80,13 @@ char **XListExtensions(
|
|||||||
if (ch + length < chend) {
|
if (ch + length < chend) {
|
||||||
list[i] = ch+1; /* skip over length */
|
list[i] = ch+1; /* skip over length */
|
||||||
ch += length + 1; /* find next length ... */
|
ch += length + 1; /* find next length ... */
|
||||||
|
if (ch <= chend) {
|
||||||
length = *ch;
|
length = *ch;
|
||||||
*ch = '\0'; /* and replace with null-termination */
|
*ch = '\0'; /* and replace with null-termination */
|
||||||
count++;
|
count++;
|
||||||
|
} else {
|
||||||
|
list[i] = NULL;
|
||||||
|
}
|
||||||
} else
|
} else
|
||||||
list[i] = NULL;
|
list[i] = NULL;
|
||||||
}
|
}
|
||||||
|
@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
|
|||||||
GetEmptyReq(GetModifierMapping, req);
|
GetEmptyReq(GetModifierMapping, req);
|
||||||
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
|
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
|
||||||
|
|
||||||
if (rep.length < (INT_MAX >> 2)) {
|
if (rep.length < (INT_MAX >> 2) &&
|
||||||
|
(rep.length >> 1) == rep.numKeyPerModifier) {
|
||||||
nbytes = (unsigned long)rep.length << 2;
|
nbytes = (unsigned long)rep.length << 2;
|
||||||
res = Xmalloc(sizeof (XModifierKeymap));
|
res = Xmalloc(sizeof (XModifierKeymap));
|
||||||
if (res)
|
if (res)
|
||||||
|
Loading…
Reference in New Issue
Block a user