Skip to content
Commit e8372276 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Matthieu Herrb
Browse files

Fixed crash on invalid reply (CVE-2018-14598). 



If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned.

If the resulting list is freed with XFreeExtensionList or
XFreeFontPath later on, the first Xfree call:

    Xfree (list[0]-1)
 turns into
    Xfree (NULL-1)

which will most likely trigger a segmentation fault.

I have modified the code to return NULL if the first string would
overflow, thus protecting the freeing functions later on.

Signed-off-by: default avatarTobias Stoeckmann <tobias@stoeckmann.org>
parent dbf72805
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment