Commit f3e08e4f authored by Alan Coopersmith's avatar Alan Coopersmith

Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]

We copy the entire reply sent by the server into the fixed size
mapping[] array on the stack, even if the server says it's a larger
size than the mapping array can hold.  HULK SMASH STACK!
Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer's avatarPeter Hutterer <peter.hutterer@who-t.net>
parent 59b8e138
......@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
#include <limits.h>
#ifdef MIN /* some systems define this in <sys/param.h> */
#undef MIN
......@@ -75,7 +76,6 @@ XGetDeviceButtonMapping(
{
int status = 0;
unsigned char mapping[256]; /* known fixed size */
long nbytes;
XExtDisplayInfo *info = XInput_find_display(dpy);
register xGetDeviceButtonMappingReq *req;
......@@ -92,13 +92,18 @@ XGetDeviceButtonMapping(
status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
if (status == 1) {
nbytes = (long)rep.length << 2;
_XRead(dpy, (char *)mapping, nbytes);
/* don't return more data than the user asked for. */
if (rep.nElts)
memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
status = rep.nElts;
if (rep.length <= (sizeof(mapping) >> 2)) {
unsigned long nbytes = rep.length << 2;
_XRead(dpy, (char *)mapping, nbytes);
/* don't return more data than the user asked for. */
if (rep.nElts)
memcpy(map, mapping, MIN((int)rep.nElts, nmap));
status = rep.nElts;
} else {
_XEatDataWords(dpy, rep.length);
status = 0;
}
} else
status = 0;
UnlockDisplay(dpy);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment