File u_crash-on-invalid-reply-in-XListExtensions.patch of Package libX11.19843

From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.de>
Date: Tue, 14 Aug 2018 11:46:40 +0200
Subject: [PATCH] crash on invalid reply in XListExtensions
References: bsc#1102073 CVE-2018-14598

If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] will be set to NULL and
a count of 0 is returned.

If the resulting list is freed with XFreeExtensionList later on,
the first Xfree call:

    Xfree (list[0]-1)
 turns into
    Xfree (NULL-1)

which will most likely trigger a segmentation fault.

I have modified the code to return NULL if the first string would
overflow, thus protecting XFreeExtensionList later on.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 src/ListExt.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/ListExt.c b/src/ListExt.c
index 6537c4dc..ece9ba31 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -83,6 +83,11 @@ char **XListExtensions(
 		    length = (unsigned char) *ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
+		} else if (i == 0) {
+		    Xfree(list);
+		    Xfree(ch);
+		    list = NULL;
+		    break;
 		} else
 		    list[i] = NULL;
 	    }
-- 
2.16.4
openSUSE Build Service is sponsored by