[Xcb] [Bug 107105] New: glyph.c ignores allocation failures with possible heap corruption

Tue Jul 3 21:15:56 UTC 2018

https://bugs.freedesktop.org/show_bug.cgi?id=107105

            Bug ID: 107105
           Summary: glyph.c ignores allocation failures with possible heap
                    corruption
           Product: XCB
           Version: unspecified
          Hardware: Other
                OS: All
            Status: NEW
          Severity: normal
          Priority: medium
         Component: Utils
          Assignee: xcb at lists.freedesktop.org
          Reporter: mrsam at courier-mta.com
        QA Contact: xcb at lists.freedesktop.org

In renderutil/glyph.c, _grow_stream() checks if realloc() fails, but doesn't
really do anything about that, and simply returns.

All existing callers of _grow_stream() assume that it succeeds, and proceed to
blindly memcpy() more stuff to the stream.

There's a remote chance of this being exploitable. An attacker would have to
cause an application that uses xcb to:

- run out of memory

- proceed to create a text stream consisting of glyph data that overwrites and
corrupts the existing heap space, in some controlled way.

A brief survey of the existing calls to _grow_stream() suggests that plugging
this hole is trivial -- have _grow_stream() return an error indication, and all
existing calls to _grow_stream() in glyph.c can simply return, in that case.

-- 
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/xcb/attachments/20180703/8a705078/attachment.html>