Commit dbf72805 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Matthieu Herrb

Fixed out of boundary write (CVE-2018-14600).

The length value is interpreted as signed char on many systems
(depending on default signedness of char), which can lead to an out of
boundary write up to 128 bytes in front of the allocated storage, but
limited to NUL byte(s).

Casting the length value to unsigned char fixes the problem and allows
string values with up to 255 characters.
Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
parent b469da14
......@@ -70,12 +70,12 @@ char **XGetFontPath(
* unpack into null terminated strings.
*/
chend = ch + nbytes;
length = *ch;
length = *(unsigned char *)ch;
for (i = 0; i < rep.nPaths; i++) {
if (ch + length < chend) {
flist[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
length = *ch;
length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
} else
......
......@@ -75,12 +75,12 @@ char **XListExtensions(
* unpack into null terminated strings.
*/
chend = ch + rlen;
length = *ch;
length = *(unsigned char *)ch;
for (i = 0; i < rep.nExtensions; i++) {
if (ch + length < chend) {
list[i] = ch+1; /* skip over length */
ch += length + 1; /* find next length ... */
length = *ch;
length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
} else
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment