aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 12:39:58 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:39 +0200
commite386187e91569eae3064927d5b5753a7a68ace47 (patch)
treed16b9ab88883a69aa9b54a4fc26f0170cdc4a955
parentbddfee4a987c0ef5eb26e1b14b8385e7630a1e21 (diff)
downloadnx-libs-e386187e91569eae3064927d5b5753a7a68ace47.tar.gz
nx-libs-e386187e91569eae3064927d5b5753a7a68ace47.tar.bz2
nx-libs-e386187e91569eae3064927d5b5753a7a68ace47.zip
Unbounded recursion in _XimParseStringFile() when parsing include files [CVE-2013-2004 2/2]
parseline() can call _XimParseStringFile() which can call parseline() which can call _XimParseStringFile() which can call parseline() .... eventually causing recursive stack overflow and crash. Limit is set to a include depth of 100 files, which should be enough for all known use cases, but could be adjusted later if necessary. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/imLcPrs.c20
1 files changed, 17 insertions, 3 deletions
diff --git a/nx-X11/lib/X11/imLcPrs.c b/nx-X11/lib/X11/imLcPrs.c
index f02e93bbb..ad65da694 100644
--- a/nx-X11/lib/X11/imLcPrs.c
+++ b/nx-X11/lib/X11/imLcPrs.c
@@ -58,6 +58,8 @@ extern int _Xmbstoutf8(
int len
);
+static void parsestringfile(FILE *fp, Xim im, int depth);
+
/*
* Parsing File Format:
*
@@ -447,7 +449,8 @@ static int
parseline(
FILE *fp,
Xim im,
- char* tokenbuf)
+ char* tokenbuf,
+ int depth)
{
int token;
DTModifier modifier_mask;
@@ -494,11 +497,13 @@ parseline(
goto error;
if ((filename = TransFileName(im, tokenbuf)) == NULL)
goto error;
+ if (++depth > 100)
+ goto error;
infp = _XFopenFile(filename, "r");
Xfree(filename);
if (infp == NULL)
goto error;
- _XimParseStringFile(infp, im);
+ parsestringfile(infp, im, depth);
fclose(infp);
return (0);
} else if ((token == KEY) && (strcmp("None", tokenbuf) == 0)) {
@@ -692,6 +697,15 @@ _XimParseStringFile(
FILE *fp,
Xim im)
{
+ parsestringfile(fp, im, 0);
+}
+
+static void
+parsestringfile(
+ FILE *fp,
+ Xim im,
+ int depth)
+{
char tb[8192];
char* tbp;
struct stat st;
@@ -704,7 +718,7 @@ _XimParseStringFile(
else tbp = malloc (size);
if (tbp != NULL) {
- while (parseline(fp, im, tbp) >= 0) {}
+ while (parseline(fp, im, tbp, depth) >= 0) {}
if (tbp != tb) free (tbp);
}
}