Possible SEGV (buffer overflow) in __glXGetDrawableScreen()

The glXGetDrawableScreen() function trusts the on-the-wire numAttribs returned in the xGLXGetDrawableAttributesReply message. This possibly leads to a buffer overflow.

This is essentially the same problem as this issue.

Here is the relevant source code + annotations:

libGLX.so:libglxproto.c

    int __glXGetDrawableScreen(...)
    {
        xGLXGetDrawableAttributesReply rep;
        ...
        st = ReadReply(dpyInfo, (xReply *) &rep, (void **) &attribs);
        ...
        for (i=0; i<rep.numAttribs; i++) {
            /* <--- buffer overflow since
             *      rep.numAttribs is not validated
             *      against the length of attribs */
            if (attribs[i * 2] == GLX_SCREEN) {
                screen = attribs[i * 2 + 1];
                break;
            }
        }
        ...
    }

Admin message

Possible SEGV (buffer overflow) in __glXGetDrawableScreen()