diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 12:39:58 -0800 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:39 +0200 |
commit | e386187e91569eae3064927d5b5753a7a68ace47 (patch) | |
tree | d16b9ab88883a69aa9b54a4fc26f0170cdc4a955 | |
parent | bddfee4a987c0ef5eb26e1b14b8385e7630a1e21 (diff) | |
download | nx-libs-e386187e91569eae3064927d5b5753a7a68ace47.tar.gz nx-libs-e386187e91569eae3064927d5b5753a7a68ace47.tar.bz2 nx-libs-e386187e91569eae3064927d5b5753a7a68ace47.zip |
Unbounded recursion in _XimParseStringFile() when parsing include files [CVE-2013-2004 2/2]
parseline() can call _XimParseStringFile() which can call parseline()
which can call _XimParseStringFile() which can call parseline() ....
eventually causing recursive stack overflow and crash.
Limit is set to a include depth of 100 files, which should be enough
for all known use cases, but could be adjusted later if necessary.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r-- | nx-X11/lib/X11/imLcPrs.c | 20 |
1 files changed, 17 insertions, 3 deletions
diff --git a/nx-X11/lib/X11/imLcPrs.c b/nx-X11/lib/X11/imLcPrs.c index f02e93bbb..ad65da694 100644 --- a/nx-X11/lib/X11/imLcPrs.c +++ b/nx-X11/lib/X11/imLcPrs.c @@ -58,6 +58,8 @@ extern int _Xmbstoutf8( int len ); +static void parsestringfile(FILE *fp, Xim im, int depth); + /* * Parsing File Format: * @@ -447,7 +449,8 @@ static int parseline( FILE *fp, Xim im, - char* tokenbuf) + char* tokenbuf, + int depth) { int token; DTModifier modifier_mask; @@ -494,11 +497,13 @@ parseline( goto error; if ((filename = TransFileName(im, tokenbuf)) == NULL) goto error; + if (++depth > 100) + goto error; infp = _XFopenFile(filename, "r"); Xfree(filename); if (infp == NULL) goto error; - _XimParseStringFile(infp, im); + parsestringfile(infp, im, depth); fclose(infp); return (0); } else if ((token == KEY) && (strcmp("None", tokenbuf) == 0)) { @@ -692,6 +697,15 @@ _XimParseStringFile( FILE *fp, Xim im) { + parsestringfile(fp, im, 0); +} + +static void +parsestringfile( + FILE *fp, + Xim im, + int depth) +{ char tb[8192]; char* tbp; struct stat st; @@ -704,7 +718,7 @@ _XimParseStringFile( else tbp = malloc (size); if (tbp != NULL) { - while (parseline(fp, im, tbp) >= 0) {} + while (parseline(fp, im, tbp, depth) >= 0) {} if (tbp != tb) free (tbp); } } |