Overview

File u_mesa-CVE-2023-45919.patch of Package Mesa

 src/glx/glx_query.c |   13 +++++++++++++
 1 file changed, 13 insertions(+)
--- a/src/glx/glx_query.c
+++ b/src/glx/glx_query.c
@@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in
    /* The spec doesn't mention this, but the Xorg server replies with
     * a string already terminated with '\0'. */
    uint32_t len = xcb_glx_query_server_string_string_length(reply);
+   /* Allow a max of 64kb string length */
+   size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024);
+   if (reply_len + 1 != len)
+   {
+      free(reply);
+      return(NULL);
+   }
    char *buf = malloc(len);
    memcpy(buf, xcb_glx_query_server_string_string(reply), len);
    free(reply);
@@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode
    /* The spec doesn't mention this, but the Xorg server replies with
     * a string already terminated with '\0'. */
    uint32_t len = xcb_glx_get_string_string_length(reply);
+   size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024);
+   if (reply_len + 1 != len)
+   {
+      free(reply);
+      return(NULL);
+   }
    char *buf = malloc(len);
    memcpy(buf, xcb_glx_get_string_string(reply), len);
    free(reply);
openSUSE Build Service is sponsored by
Places