On Sun, Sep 25, 2016 at 22:50:45 +0200, Matthieu Herrb wrote: > From: Tobias Stoeckmann <tob...@stoeckmann.org> > > The memory for filter names is reserved right after receiving the reply. > After that, filters are iterated and each individual filter name is > stored in that reserved memory. > > The individual name lengths are not checked for validity, which means > that a malicious server can reserve less memory than it will write to > during each iteration. > > v2: consume remaining bytes in reply buffer on error. > > Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> > Reviewed-by: Matthieu Herrb <matth...@herrb.eu> > --- > src/Filter.c | 13 ++++++++++++- > 1 file changed, 12 insertions(+), 1 deletion(-) > > diff --git a/src/Filter.c b/src/Filter.c > index edfa572..8d701eb 100644 > --- a/src/Filter.c > +++ b/src/Filter.c > @@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) > char *name; > char len; > int i; > - unsigned long nbytes, nbytesAlias, nbytesName; > + unsigned long nbytes, nbytesAlias, nbytesName, reply_left; > > if (!RenderHasExtension (info)) > return NULL; > @@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) > * Read the filter aliases > */ > _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); > + reply_left = 8 + rep.length - 2 * rep.numAliases;; > reply_left looks like a byte count, in which case shouldn't rep.length be multiplied by 4? I don't get where that 8 comes from, either, any chance you could explain? In fact I wonder if this couldn't use nbytesName instead?
Cheers, Julien _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel
