Possible SEGV (buffer overflow) in __glXGetDrawableAttribute()
Describe the issue
The glXGetDrawableAttribute()
function trusts the on-the-wire numAttribs
value returned in a xGLXGetDrawableAttributesReply
message. If the attribute is not found (e.g., reply is corrupt), then this leads to buffer overflow.
The relevant (annotated) source code is here:
libGLX_mesa.so:glx_pbuffer.c
int __glXGetDrawableAttribute(...)
{
xGLXGetDrawableAttributesReply reply;
...
_XReply(dpy, (xReply *) & reply, 0, False);
...
/* <---- To reproduce:
* use GDB to set attrib = 47474 and
reply.numAttribs = 999999 */
num_attributes = reply.numAttribs;
data = malloc(length * sizeof(CARD32));
...
_XRead(dpy, (char *) data, length * sizeof(CARD32));
for (i = 0; i < num_attributes; i++) {
if (data[i * 2] == attribute) { /* <--- buffer overflow */
...
}
}
...
}
System information
System:
Host: gjd-VirtualBox Kernel: 6.2.0-24-generic arch: x86_64 bits: 64
compiler: N/A Desktop: GNOME v: 44.0 tk: GTK v: 3.24.37 wm: gnome-shell
dm: GDM3 Distro: Ubuntu 23.04 (Lunar Lobster)
CPU:
Info: 8-core model: Intel Xeon E5-2630 v4 bits: 64 type: MCP arch: Broadwell
rev: 1 cache: L1: 512 KiB L2: 2 MiB L3: 200 MiB
Speed (MHz): avg: 2195 min/max: N/A cores: 1: 2195 2: 2195 3: 2195 4: 2195
5: 2195 6: 2195 7: 2195 8: 2195 bogomips: 35118
Flags: avx ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3
Graphics:
Device-1: InnoTek Systemberatung GmbH VirtualBox Graphics Adapter
driver: vboxvideo v: kernel ports: active: VGA-1 empty: none bus-ID: 00:02.0
chip-ID: 80ee:beef
Display: x11 server: X.Org v: 1.21.1.7 with: Xwayland v: 22.1.8
compositor: gnome-shell driver: X: loaded: modesetting unloaded: fbdev,vesa
alternate: vboxvideo dri: swrast gpu: vboxvideo display-ID: :1 screens: 1
Screen-1: 0 s-res: 3576x1999 s-dpi: 96
Monitor-1: VGA-1 model: VBOX monitor res: 3576x1999 size: N/A
API: OpenGL v: 4.5 Mesa 23.0.4-0ubuntu1~23.04.1 renderer: llvmpipe (LLVM
15.0.7 256 bits) direct-render: Yes