Unbounded recursion in _XimParseStringFile() when parsing include files [CVE-2013-2004 2/2]

parseline() can call _XimParseStringFile() which can call parseline() which can call _XimParseStringFile() which can call parseline() .... eventually causing recursive stack overflow and crash. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

Unbounded recursion in _XimParseStringFile() when parsing include files [CVE-2013-2004 2/2]
e386187e · Alan Coopersmith · Ulrich Sibiller · bddfee4a · e386187e
Commit e386187e authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 17 additions and 3 deletions

imLcPrs.c nx-X11/lib/X11/imLcPrs.c +17 -3

No files found.
--- a/nx-X11/lib/X11/imLcPrs.c
+++ b/nx-X11/lib/X11/imLcPrs.c
@@ -58,6 +58,8 @@ extern int _Xmbstoutf8(
    int		len
 );

+static void parsestringfile(FILE *fp, Xim im, int depth);
+
 /*
 *	Parsing File Format:
 *
@@ -447,7 +449,8 @@ static int
 parseline(
    FILE *fp,
    Xim   im,
-    char* tokenbuf)
+    char* tokenbuf,
+    int   depth)
 {
    int token;
    DTModifier modifier_mask;
@@ -494,11 +497,13 @@ parseline(
                goto error;
            if ((filename = TransFileName(im, tokenbuf)) == NULL)
                goto error;
+            if (++depth > 100)
+                goto error;
            infp = _XFopenFile(filename, "r");
                Xfree(filename);
            if (infp == NULL)
                goto error;
-            _XimParseStringFile(infp, im);
+            parsestringfile(infp, im, depth);
            fclose(infp);
            return (0);
 	} else if ((token == KEY) && (strcmp("None", tokenbuf) == 0)) {
@@ -692,6 +697,15 @@ _XimParseStringFile(
    FILE *fp,
    Xim   im)
 {
+    parsestringfile(fp, im, 0);
+}
+
+static void
+parsestringfile(
+    FILE *fp,
+    Xim   im,
+    int   depth)
+{
    char tb[8192];
    char* tbp;
    struct stat st;
@@ -704,7 +718,7 @@ _XimParseStringFile(
 	else tbp = malloc (size);

 	if (tbp != NULL) {
-	    while (parseline(fp, im, tbp) >= 0) {}
+	    while (parseline(fp, im, tbp, depth) >= 0) {}
 	    if (tbp != tb) free (tbp);
 	}
    }