diff options
| author | Peter Harris <pharris@opentext.com> | 2015-01-20 19:54:07 -0500 |
|---|---|---|
| committer | Peter Harris <pharris@opentext.com> | 2015-01-21 16:04:06 -0500 |
| commit | c7defe5f48f73313ca68396d550cd6d9d47d8501 (patch) | |
| tree | 804f7c81a4b8dda1b0a773612b8f6dd3bc3796ee | |
| parent | ed1ea7a8f15d177d2339bdc623fd2190045e40f2 (diff) | |
libproto: RcvRep: Don't overwrite memory in QueryFont
If the server returns a bogus (short) reply to a swapped QueryFont
request, RcvRep swaps past the end of its buffer, smashing the heap.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Ian Romanick <ian.d.romanick@intel.com>
| -rw-r--r-- | xts5/src/libproto/RcvRep.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/xts5/src/libproto/RcvRep.c b/xts5/src/libproto/RcvRep.c index c375d5a3..946ce6fc 100644 --- a/xts5/src/libproto/RcvRep.c +++ b/xts5/src/libproto/RcvRep.c @@ -374,6 +374,10 @@ int client; /* */ wbcopy(rbp,valuePtr, 32); break; case X_QueryFont: + if (rp->generic.length < 7) { + Length_Error(max(bytes_there,calculated_length<<2),client,rp,type,"QueryFont",7); + break; + } valuePtr = (unsigned char *) &(((xQueryFontReply *)rp)->minBounds); Unpack_Shorts((unsigned short *) valuePtr, &rbp, 6, needswap); rbp += 4; |