Commit e8372276 authored by Committed by Matthieu Herrb
Fixed crash on invalid reply (CVE-2018-14598).
If the server sends a reply in which even the first string would overflow the transmitted bytes, list (or flist) will be set to NULL and a count of 0 is returned. If the resulting list is freed with XFreeExtensionList or XFreeFontPath later on, the first Xfree call: Xfree (list-1) turns into Xfree (NULL-1) which will most likely trigger a segmentation fault. I have modified the code to return NULL if the first string would overflow, thus protecting the freeing functions later on. Signed-off-by: Tobias Stoeckmann <firstname.lastname@example.org>
Showing with 10 additions and 0 deletions