libXrender: Changes to 'master'
Matthieu Herrb
herrb at kemper.freedesktop.org
Tue Oct 4 13:55:06 UTC 2016
src/Filter.c | 13 ++++++++++++-
src/Xrender.c | 18 ++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
New commits:
commit 9362c7ddd1af3b168953d0737877bc52d79c94f4
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Sep 25 21:43:09 2016 +0200
Validate lengths while parsing server data.
Individual lengths inside received server data can overflow
the previously reserved memory.
It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.
v2: consume remaining bytes in the reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
Reviewed-by: Matthieu Herrb at laas.fr
commit 8fad00b0b647ee662ce4737ca15be033b7a21714
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Sep 25 21:42:09 2016 +0200
Avoid OOB write in XRenderQueryFilters
The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.
The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.
v2: consume remaining bytes in reply buffer on error.
Signed-off-by: Tobias Stoeckmann <tobias at stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
More information about the xorg-commit
mailing list