[Xcb] [Bug 107105] New: glyph.c ignores allocation failures with possible heap corruption
bugzilla-daemon at freedesktop.org
bugzilla-daemon at freedesktop.org
Tue Jul 3 21:15:56 UTC 2018
https://bugs.freedesktop.org/show_bug.cgi?id=107105
Bug ID: 107105
Summary: glyph.c ignores allocation failures with possible heap
corruption
Product: XCB
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: Utils
Assignee: xcb at lists.freedesktop.org
Reporter: mrsam at courier-mta.com
QA Contact: xcb at lists.freedesktop.org
In renderutil/glyph.c, _grow_stream() checks if realloc() fails, but doesn't
really do anything about that, and simply returns.
All existing callers of _grow_stream() assume that it succeeds, and proceed to
blindly memcpy() more stuff to the stream.
There's a remote chance of this being exploitable. An attacker would have to
cause an application that uses xcb to:
- run out of memory
- proceed to create a text stream consisting of glyph data that overwrites and
corrupts the existing heap space, in some controlled way.
A brief survey of the existing calls to _grow_stream() suggests that plugging
this hole is trivial -- have _grow_stream() return an error indication, and all
existing calls to _grow_stream() in glyph.c can simply return, in that case.
--
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.freedesktop.org/archives/xcb/attachments/20180703/8a705078/attachment.html>
More information about the Xcb
mailing list