diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 11:25:25 -0800 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:39 +0200 |
commit | 0284afb80cefe1ae3c2567dd46427b5d425791b1 (patch) | |
tree | d88e982248f1656a29bc5def754618af6b23966f | |
parent | 0bf09b4bb1e469f37b75a088b1a5ba093ab36252 (diff) | |
download | nx-libs-0284afb80cefe1ae3c2567dd46427b5d425791b1.tar.gz nx-libs-0284afb80cefe1ae3c2567dd46427b5d425791b1.tar.bz2 nx-libs-0284afb80cefe1ae3c2567dd46427b5d425791b1.zip |
unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]
Check the provided buffer size against the amount of data we're going to
write into it, not against the reported length from the ClientMessage.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r-- | nx-X11/lib/X11/imTrX.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/nx-X11/lib/X11/imTrX.c b/nx-X11/lib/X11/imTrX.c index eba328057..2b5455f1b 100644 --- a/nx-X11/lib/X11/imTrX.c +++ b/nx-X11/lib/X11/imTrX.c @@ -372,7 +372,7 @@ _XimXGetReadData( XFree(prop_ret); return False; } - if (buf_len >= length) { + if (buf_len >= (int)nitems) { (void)memcpy(buf, prop_ret, (int)nitems); *ret_len = (int)nitems; if (bytes_after_ret > 0) { |