Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP3:GA
libXrender
U_Avoid-OOB-write-in-XRenderQueryFilters.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_Avoid-OOB-write-in-XRenderQueryFilters.patch of Package libXrender
From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann <tobias@stoeckmann.org> Date: Sun, 25 Sep 2016 21:42:09 +0200 Subject: [PATCH] Avoid OOB write in XRenderQueryFilters The memory for filter names is reserved right after receiving the reply. After that, filters are iterated and each individual filter name is stored in that reserved memory. The individual name lengths are not checked for validity, which means that a malicious server can reserve less memory than it will write to during each iteration. v2: consume remaining bytes in reply buffer on error. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> --- src/Filter.c | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/src/Filter.c b/src/Filter.c index edfa572..8d701eb 100644 --- a/src/Filter.c +++ b/src/Filter.c @@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) char *name; char len; int i; - unsigned long nbytes, nbytesAlias, nbytesName; + unsigned long nbytes, nbytesAlias, nbytesName, reply_left; if (!RenderHasExtension (info)) return NULL; @@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) * Read the filter aliases */ _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); + reply_left = 8 + rep.length - 2 * rep.numAliases;; /* * Read the filter names @@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) { int l; _XRead (dpy, &len, 1); + reply_left--; l = len & 0xff; + if ((unsigned long)l + 1 > nbytesName) { + _XEatDataWords(dpy, reply_left); + Xfree(filters); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + nbytesName -= l + 1; filters->filter[i] = name; _XRead (dpy, name, l); + reply_left -= l; name[l] = '\0'; name += l + 1; } -- 2.6.6
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor