aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 12:01:39 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:39 +0200
commitbddfee4a987c0ef5eb26e1b14b8385e7630a1e21 (patch)
treec6c5e9fe7fe6e1feb7baea802dc8f6340b672977
parentdbc11719399ce7e191c806ad6b5c9104666e2a77 (diff)
downloadnx-libs-bddfee4a987c0ef5eb26e1b14b8385e7630a1e21.tar.gz
nx-libs-bddfee4a987c0ef5eb26e1b14b8385e7630a1e21.tar.bz2
nx-libs-bddfee4a987c0ef5eb26e1b14b8385e7630a1e21.zip
Unbounded recursion in GetDatabase() when parsing include files [CVE-2013-2004 1/2]
GetIncludeFile() can call GetDatabase() which can call GetIncludeFile() which can call GetDatabase() which can call GetIncludeFile() .... eventually causing recursive stack overflow and crash. Easily reproduced with a resource file that #includes itself. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/Xrm.c24
1 files changed, 15 insertions, 9 deletions
diff --git a/nx-X11/lib/X11/Xrm.c b/nx-X11/lib/X11/Xrm.c
index b3d92bb48..818e72906 100644
--- a/nx-X11/lib/X11/Xrm.c
+++ b/nx-X11/lib/X11/Xrm.c
@@ -1087,13 +1087,15 @@ static void GetIncludeFile(
XrmDatabase db,
_Xconst char *base,
_Xconst char *fname,
- int fnamelen);
+ int fnamelen,
+ int depth);
static void GetDatabase(
XrmDatabase db,
_Xconst register char *str,
_Xconst char *filename,
- Bool doall)
+ Bool doall,
+ int depth)
{
char *rhs;
char *lhs, lhs_s[DEF_BUFF_SIZE];
@@ -1203,7 +1205,8 @@ static void GetDatabase(
} while (c != '"' && !is_EOL(bits));
/* must have an ending " */
if (c == '"')
- GetIncludeFile(db, filename, fname, str - len - fname);
+ GetIncludeFile(db, filename, fname, str - len - fname,
+ depth);
}
}
/* spin to next newline */
@@ -1544,7 +1547,7 @@ XrmPutLineResource(
{
if (!*pdb) *pdb = NewDatabase();
_XLockMutex(&(*pdb)->linfo);
- GetDatabase(*pdb, line, (char *)NULL, False);
+ GetDatabase(*pdb, line, (char *)NULL, False, 0);
_XUnlockMutex(&(*pdb)->linfo);
}
@@ -1556,7 +1559,7 @@ XrmGetStringDatabase(
db = NewDatabase();
_XLockMutex(&db->linfo);
- GetDatabase(db, data, (char *)NULL, True);
+ GetDatabase(db, data, (char *)NULL, True, 0);
_XUnlockMutex(&db->linfo);
return db;
}
@@ -1633,7 +1636,8 @@ GetIncludeFile(
XrmDatabase db,
_Xconst char *base,
_Xconst char *fname,
- int fnamelen)
+ int fnamelen,
+ int depth)
{
int len;
char *str;
@@ -1641,6 +1645,8 @@ GetIncludeFile(
if (fnamelen <= 0 || fnamelen >= BUFSIZ)
return;
+ if (depth >= MAXDBDEPTH)
+ return;
if (*fname != '/' && base && (str = strrchr(base, '/'))) {
len = str - base + 1;
if (len + fnamelen >= BUFSIZ)
@@ -1654,7 +1660,7 @@ GetIncludeFile(
}
if (!(str = ReadInFile(realfname)))
return;
- GetDatabase(db, str, realfname, True);
+ GetDatabase(db, str, realfname, True, depth + 1);
Xfree(str);
}
@@ -1670,7 +1676,7 @@ XrmGetFileDatabase(
db = NewDatabase();
_XLockMutex(&db->linfo);
- GetDatabase(db, str, filename, True);
+ GetDatabase(db, str, filename, True, 0);
_XUnlockMutex(&db->linfo);
Xfree(str);
return db;
@@ -1694,7 +1700,7 @@ XrmCombineFileDatabase(
} else
db = NewDatabase();
_XLockMutex(&db->linfo);
- GetDatabase(db, str, filename, True);
+ GetDatabase(db, str, filename, True, 0);
_XUnlockMutex(&db->linfo);
Xfree(str);
if (!override)