Possible SEGV (buffer overflow) in __glXGetDrawableScreen()
The glXGetDrawableScreen()
function trusts the on-the-wire numAttribs
returned in the xGLXGetDrawableAttributesReply
message. This possibly leads to a buffer overflow.
This is essentially the same problem as this issue.
Here is the relevant source code + annotations:
libGLX.so:libglxproto.c
int __glXGetDrawableScreen(...)
{
xGLXGetDrawableAttributesReply rep;
...
st = ReadReply(dpyInfo, (xReply *) &rep, (void **) &attribs);
...
for (i=0; i<rep.numAttribs; i++) {
/* <--- buffer overflow since
* rep.numAttribs is not validated
* against the length of attribs */
if (attribs[i * 2] == GLX_SCREEN) {
screen = attribs[i * 2 + 1];
break;
}
}
...
}