unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]

Check the provided buffer size against the amount of data we're going to write into it, not against the reported length from the ClientMessage. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]
0284afb8 · Alan Coopersmith · Ulrich Sibiller · 0bf09b4b · 0284afb8
Commit 0284afb8 authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

imTrX.c nx-X11/lib/X11/imTrX.c +1 -1

No files found.
--- a/nx-X11/lib/X11/imTrX.c
+++ b/nx-X11/lib/X11/imTrX.c
@@ -372,7 +372,7 @@ _XimXGetReadData(
 		XFree(prop_ret);
 	    return False;
 	}
-	if (buf_len >= length) {
+	if (buf_len >= (int)nitems) {
 	    (void)memcpy(buf, prop_ret, (int)nitems);
 	    *ret_len  = (int)nitems;
 	    if (bytes_after_ret > 0) {