[PATCH xts 2/2] libproto: RcvRep: Don't overwrite memory in QueryFont
Ian Romanick
idr at freedesktop.org
Wed Jan 21 12:19:58 PST 2015
On 01/20/2015 05:57 PM, Peter Harris wrote:
> If the server returns a bogus (short) reply to a swapped QueryFont
> request, RcvRep swaps past the end of its buffer, smashing the heap.
>
> Signed-off-by: Peter Harris <pharris at opentext.com>
Given the calculated_length check later in that case, this change looks
trivially correct.
Reviewed-by: Ian Romanick <ian.d.romanick at intel.com>
> ---
> xts5/src/libproto/RcvRep.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/xts5/src/libproto/RcvRep.c b/xts5/src/libproto/RcvRep.c
> index c375d5a..946ce6f 100644
> --- a/xts5/src/libproto/RcvRep.c
> +++ b/xts5/src/libproto/RcvRep.c
> @@ -374,6 +374,10 @@ int client; /* */
> wbcopy(rbp,valuePtr, 32);
> break;
> case X_QueryFont:
> + if (rp->generic.length < 7) {
> + Length_Error(max(bytes_there,calculated_length<<2),client,rp,type,"QueryFont",7);
> + break;
> + }
> valuePtr = (unsigned char *) &(((xQueryFontReply *)rp)->minBounds);
> Unpack_Shorts((unsigned short *) valuePtr, &rbp, 6, needswap);
> rbp += 4;
>
More information about the xorg-devel
mailing list