buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]

When reading the name strings for the modes off the network, we never checked to make sure the length of the individual name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 12:27:10 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-04 19:05:02 -0700
commit: 5dcfa6a8cf2df39828da733e5945e730518c27b3 (patch)
tree: 3b2c8058bef05c3bb1b8315aeed94d33838e7115
parent: f4a8dd63af518640468d82948f450aad4b2b1e6a (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 8830266..b5145ee 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
 		modes[i].reserved1 = info.reserved1;
 		modes[i].reserved2 = info.reserved2;
 
-		_XRead(dpy, offset, info.name_size);
-		modes[i].name = offset;
-		offset += info.name_size;
+		if (info.name_size > 0 && info.name_size <= size) {
+		    _XRead(dpy, offset, info.name_size);
+		    modes[i].name = offset;
+		    modes[i].name[info.name_size - 1] = '\0';
+		    offset += info.name_size;
+		    size -= info.name_size;
+		} else {
+		    _XEatData(dpy, info.name_size);
+		    modes[i].name = NULL;
+		}
 	      }
 	      *num = rep.number;
 	   } else
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 12:27:10 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-04 19:05:02 -0700
commit	5dcfa6a8cf2df39828da733e5945e730518c27b3 (patch)
tree	3b2c8058bef05c3bb1b8315aeed94d33838e7115
parent	f4a8dd63af518640468d82948f450aad4b2b1e6a (diff)