[PATCH libXpm] Fix out out boundary read on unknown colors
Matthieu Herrb
matthieu at herrb.eu
Tue Dec 6 21:31:53 UTC 2016
From: Tobias Stoeckmann <tobias at stoeckmann.org>
libXpm is vulnerable to an out of boundary read if an XPM file contains
a color with a symbolic name but without any default color value.
A caller must set XpmColorSymbols and a color with a NULL name in
the supplied XpmAttributes to XpmReadFileToImage (or other functions of
this type) in order to trigger this issue.
---
src/create.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/src/create.c b/src/create.c
index d013da9..a750846 100644
--- a/src/create.c
+++ b/src/create.c
@@ -647,7 +647,8 @@ CreateColors(
while (def_index <= 5 && defaults[def_index] == NULL)
++def_index;
}
- if (def_index >= 2 && defaults[def_index] != NULL &&
+ if (def_index >= 2 && def_index <= 5 &&
+ defaults[def_index] != NULL &&
!xpmstrcasecmp(symbol->value, defaults[def_index]))
break;
}
--
2.10.2
More information about the xorg-devel
mailing list