[PATCH xts 2/2] libproto: RcvRep: Don't overwrite memory in QueryFont
Peter Harris
pharris at opentext.com
Tue Jan 20 17:57:35 PST 2015
If the server returns a bogus (short) reply to a swapped QueryFont
request, RcvRep swaps past the end of its buffer, smashing the heap.
Signed-off-by: Peter Harris <pharris at opentext.com>
---
xts5/src/libproto/RcvRep.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/xts5/src/libproto/RcvRep.c b/xts5/src/libproto/RcvRep.c
index c375d5a..946ce6f 100644
--- a/xts5/src/libproto/RcvRep.c
+++ b/xts5/src/libproto/RcvRep.c
@@ -374,6 +374,10 @@ int client; /* */
wbcopy(rbp,valuePtr, 32);
break;
case X_QueryFont:
+ if (rp->generic.length < 7) {
+ Length_Error(max(bytes_there,calculated_length<<2),client,rp,type,"QueryFont",7);
+ break;
+ }
valuePtr = (unsigned char *) &(((xQueryFontReply *)rp)->minBounds);
Unpack_Shorts((unsigned short *) valuePtr, &rbp, 6, needswap);
rbp += 4;
--
2.1.0
More information about the xorg-devel
mailing list