On 01/20/2015 05:57 PM, Peter Harris wrote: > If the server returns a bogus (short) reply to a swapped QueryFont > request, RcvRep swaps past the end of its buffer, smashing the heap. > > Signed-off-by: Peter Harris <[email protected]>
Given the calculated_length check later in that case, this change looks trivially correct. Reviewed-by: Ian Romanick <[email protected]> > --- > xts5/src/libproto/RcvRep.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/xts5/src/libproto/RcvRep.c b/xts5/src/libproto/RcvRep.c > index c375d5a..946ce6f 100644 > --- a/xts5/src/libproto/RcvRep.c > +++ b/xts5/src/libproto/RcvRep.c > @@ -374,6 +374,10 @@ int client; /* */ > wbcopy(rbp,valuePtr, 32); > break; > case X_QueryFont: > + if (rp->generic.length < 7) { > + > Length_Error(max(bytes_there,calculated_length<<2),client,rp,type,"QueryFont",7); > + break; > + } > valuePtr = (unsigned char *) &(((xQueryFontReply > *)rp)->minBounds); > Unpack_Shorts((unsigned short *) valuePtr, &rbp, 6, needswap); > rbp += 4; > _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
