unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]

If a broken server returned larger than requested values for nPixels or nMasks, XAllocColorCells would happily overflow the buffers provided by the caller to write the results into. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]
2a1fbb18 · Alan Coopersmith · Ulrich Sibiller · e03f3922 · 2a1fbb18
Commit 2a1fbb18 authored Mar 01, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 2 deletions

AllCells.c nx-X11/lib/X11/AllCells.c +7 -2

No files found.
--- a/nx-X11/lib/X11/AllCells.c
+++ b/nx-X11/lib/X11/AllCells.c
@@ -54,8 +54,13 @@ Status XAllocColorCells(
    status = _XReply(dpy, (xReply *)&rep, 0, xFalse);

    if (status) {
-	_XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
-	_XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+	if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) {
+	    _XEatDataWords(dpy, rep.length);
+	    status = 0; /* Failure */
+	} else {
+	    _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
+	    _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+	}
    }

    UnlockDisplay(dpy);