[PATCH libXrender 1/2] Avoid OOB write in XRenderQueryFilters

Julien Cristau jcristau at debian.org
Sat Sep 9 12:29:31 UTC 2017 

Anyone?  This still looks wrong to me.

Cheers,
Julien

On Sat, Jan  7, 2017 at 18:46:57 +0100, Julien Cristau wrote:

> On Sun, Sep 25, 2016 at 22:50:45 +0200, Matthieu Herrb wrote:
> 
> > From: Tobias Stoeckmann <tobias at stoeckmann.org>
> > 
> > The memory for filter names is reserved right after receiving the reply.
> > After that, filters are iterated and each individual filter name is
> > stored in that reserved memory.
> > 
> > The individual name lengths are not checked for validity, which means
> > that a malicious server can reserve less memory than it will write to
> > during each iteration.
> > 
> > v2: consume remaining bytes in reply buffer on error.
> > 
> > Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
> > Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
> > ---
> >  src/Filter.c | 13 ++++++++++++-
> >  1 file changed, 12 insertions(+), 1 deletion(-)
> > 
> > diff --git a/src/Filter.c b/src/Filter.c
> > index edfa572..8d701eb 100644
> > --- a/src/Filter.c
> > +++ b/src/Filter.c
> > @@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
> >      char			*name;
> >      char			len;
> >      int				i;
> > -    unsigned long		nbytes, nbytesAlias, nbytesName;
> > +    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
> >  
> >      if (!RenderHasExtension (info))
> >  	return NULL;
> > @@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
> >       * Read the filter aliases
> >       */
> >      _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
> > +    reply_left = 8 + rep.length - 2 * rep.numAliases;;
> >  
> reply_left looks like a byte count, in which case shouldn't rep.length
> be multiplied by 4?  I don't get where that 8 comes from, either, any
> chance you could explain?  In fact I wonder if this couldn't use
> nbytesName instead?
> 
> Cheers,
> Julien
> _______________________________________________
> xorg-devel at lists.x.org: X.Org development
> Archives: http://lists.x.org/archives/xorg-devel
> Info: https://lists.x.org/mailman/listinfo/xorg-devel

More information about the xorg-devel mailing list