forked from pool/libX11
Stefan Dirsch
b3142d5467
* fixes off-by-one write in XListExtensions (bsc#1102062, CVE-2018-14599) - u_out-of-boundary-write-in-XListExtensions.patch * fixes out of boundary write in XListExtensions (bsc#1102068, CVE-2018-14600) - u_crash-on-invalid-reply-in-XListExtensions.patch * crash on invalid reply in XListExtensions (bsc#1102073, CVE-2018-14598) OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/libX11?expand=0&rev=43
47 lines
1.2 KiB
Diff
47 lines
1.2 KiB
Diff
From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Dirsch <sndirsch@suse.de>
|
|
Date: Tue, 14 Aug 2018 11:46:40 +0200
|
|
Subject: [PATCH] crash on invalid reply in XListExtensions
|
|
References: bsc#1102073 CVE-2018-14598
|
|
|
|
If the server sends a reply in which even the first string would
|
|
overflow the transmitted bytes, list[0] will be set to NULL and
|
|
a count of 0 is returned.
|
|
|
|
If the resulting list is freed with XFreeExtensionList later on,
|
|
the first Xfree call:
|
|
|
|
Xfree (list[0]-1)
|
|
turns into
|
|
Xfree (NULL-1)
|
|
|
|
which will most likely trigger a segmentation fault.
|
|
|
|
I have modified the code to return NULL if the first string would
|
|
overflow, thus protecting XFreeExtensionList later on.
|
|
|
|
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
---
|
|
src/ListExt.c | 5 +++++
|
|
1 file changed, 5 insertions(+)
|
|
|
|
diff --git a/src/ListExt.c b/src/ListExt.c
|
|
index 6537c4dc..ece9ba31 100644
|
|
--- a/src/ListExt.c
|
|
+++ b/src/ListExt.c
|
|
@@ -83,6 +83,11 @@ char **XListExtensions(
|
|
length = (unsigned char) *ch;
|
|
*ch = '\0'; /* and replace with null-termination */
|
|
count++;
|
|
+ } else if (i == 0) {
|
|
+ Xfree(list);
|
|
+ Xfree(ch);
|
|
+ list = NULL;
|
|
+ break;
|
|
} else
|
|
list[i] = NULL;
|
|
}
|
|
--
|
|
2.16.4
|
|
|