Commit e8372276 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Matthieu Herrb

Fixed crash on invalid reply (CVE-2018-14598).

If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned.

If the resulting list is freed with XFreeExtensionList or
XFreeFontPath later on, the first Xfree call:

    Xfree (list[0]-1)
 turns into
    Xfree (NULL-1)

which will most likely trigger a segmentation fault.

I have modified the code to return NULL if the first string would
overflow, thus protecting the freeing functions later on.
Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
parent dbf72805
......@@ -78,6 +78,11 @@ char **XGetFontPath(
length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
} else if (i == 0) {
Xfree(flist);
Xfree(ch);
flist = NULL;
break;
} else
flist[i] = NULL;
}
......
......@@ -83,6 +83,11 @@ char **XListExtensions(
length = *(unsigned char *)ch;
*ch = '\0'; /* and replace with null-termination */
count++;
} else if (i == 0) {
Xfree(list);
Xfree(ch);
list = NULL;
break;
} else
list[i] = NULL;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment