aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 11:25:25 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:39 +0200
commit0284afb80cefe1ae3c2567dd46427b5d425791b1 (patch)
treed88e982248f1656a29bc5def754618af6b23966f
parent0bf09b4bb1e469f37b75a088b1a5ba093ab36252 (diff)
downloadnx-libs-0284afb80cefe1ae3c2567dd46427b5d425791b1.tar.gz
nx-libs-0284afb80cefe1ae3c2567dd46427b5d425791b1.tar.bz2
nx-libs-0284afb80cefe1ae3c2567dd46427b5d425791b1.zip
unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]
Check the provided buffer size against the amount of data we're going to write into it, not against the reported length from the ClientMessage. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/imTrX.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/nx-X11/lib/X11/imTrX.c b/nx-X11/lib/X11/imTrX.c
index eba328057..2b5455f1b 100644
--- a/nx-X11/lib/X11/imTrX.c
+++ b/nx-X11/lib/X11/imTrX.c
@@ -372,7 +372,7 @@ _XimXGetReadData(
XFree(prop_ret);
return False;
}
- if (buf_len >= length) {
+ if (buf_len >= (int)nitems) {
(void)memcpy(buf, prop_ret, (int)nitems);
*ret_len = (int)nitems;
if (bytes_after_ret > 0) {