Anyone? This still looks wrong to me. Cheers, Julien
On Sat, Jan 7, 2017 at 18:46:57 +0100, Julien Cristau wrote: > On Sun, Sep 25, 2016 at 22:50:45 +0200, Matthieu Herrb wrote: > > > From: Tobias Stoeckmann <tob...@stoeckmann.org> > > > > The memory for filter names is reserved right after receiving the reply. > > After that, filters are iterated and each individual filter name is > > stored in that reserved memory. > > > > The individual name lengths are not checked for validity, which means > > that a malicious server can reserve less memory than it will write to > > during each iteration. > > > > v2: consume remaining bytes in reply buffer on error. > > > > Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org> > > Reviewed-by: Matthieu Herrb <matth...@herrb.eu> > > --- > > src/Filter.c | 13 ++++++++++++- > > 1 file changed, 12 insertions(+), 1 deletion(-) > > > > diff --git a/src/Filter.c b/src/Filter.c > > index edfa572..8d701eb 100644 > > --- a/src/Filter.c > > +++ b/src/Filter.c > > @@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) > > char *name; > > char len; > > int i; > > - unsigned long nbytes, nbytesAlias, nbytesName; > > + unsigned long nbytes, nbytesAlias, nbytesName, reply_left; > > > > if (!RenderHasExtension (info)) > > return NULL; > > @@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable) > > * Read the filter aliases > > */ > > _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); > > + reply_left = 8 + rep.length - 2 * rep.numAliases;; > > > reply_left looks like a byte count, in which case shouldn't rep.length > be multiplied by 4? I don't get where that 8 comes from, either, any > chance you could explain? In fact I wonder if this couldn't use > nbytesName instead? > > Cheers, > Julien > _______________________________________________ > xorg-devel@lists.x.org: X.Org development > Archives: http://lists.x.org/archives/xorg-devel > Info: https://lists.x.org/mailman/listinfo/xorg-devel _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel