Skip to content

glyph.c ignores allocation failures with possible heap corruption

Submitted by Sam Varshavchik

Assigned to xcb mailing list dummy

Link to original bug (#107105)

Description

In renderutil/glyph.c, _grow_stream() checks if realloc() fails, but doesn't really do anything about that, and simply returns.

All existing callers of _grow_stream() assume that it succeeds, and proceed to blindly memcpy() more stuff to the stream.

There's a remote chance of this being exploitable. An attacker would have to cause an application that uses xcb to:

  • run out of memory

  • proceed to create a text stream consisting of glyph data that overwrites and corrupts the existing heap space, in some controlled way.

A brief survey of the existing calls to _grow_stream() suggests that plugging this hole is trivial -- have _grow_stream() return an error indication, and all existing calls to _grow_stream() in glyph.c can simply return, in that case.