File U_004-FixSignedLengthValuesIn_XimGetAttributeID.patch of Package libX11.28097
From: Todd Carson <tc@daybefore.net>
The lengths are unsigned according to the specification. Passing
negative values can lead to data corruption.
Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
modules/im/ximcp/imRmAttr.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
Index: libX11-1.6.5/modules/im/ximcp/imRmAttr.c
===================================================================
--- libX11-1.6.5.orig/modules/im/ximcp/imRmAttr.c
+++ libX11-1.6.5/modules/im/ximcp/imRmAttr.c
@@ -1393,13 +1393,13 @@ _XimEncodeSavedICATTRIBUTE(
static unsigned int
_XimCountNumberOfAttr(
- INT16 total,
- CARD16 *attr,
- int *names_len)
+ CARD16 total,
+ CARD16 *attr,
+ unsigned int *names_len)
{
unsigned int n;
- INT16 len;
- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ CARD16 len;
+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ sizeof(CARD16) /* sizeof type of value */
+ sizeof(INT16); /* sizeof length of attribute */
@@ -1407,6 +1407,9 @@ _XimCountNumberOfAttr(
*names_len = 0;
while (total > min_len) {
len = attr[2];
+ if (len >= (total - min_len)) {
+ return 0;
+ }
*names_len += (len + 1);
len += (min_len + XIM_PAD(len + 2));
total -= len;
@@ -1421,17 +1424,15 @@ _XimGetAttributeID(
Xim im,
CARD16 *buf)
{
- unsigned int n;
+ unsigned int n, names_len, values_len;
XIMResourceList res;
char *names;
- int names_len;
XPointer tmp;
XIMValuesList *values_list;
char **values;
- int values_len;
register int i;
- INT16 len;
- INT16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ CARD16 len;
+ CARD16 min_len = sizeof(CARD16) /* sizeof attribute ID */
+ sizeof(CARD16) /* sizeof type of value */
+ sizeof(INT16); /* sizeof length of attr */
/*