diff options
| author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2016-09-25 21:25:25 +0200 |
|---|---|---|
| committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-19 21:40:30 +0200 |
| commit | 70e9d346fe34af127d2c827c3678e53d0f4312ae (patch) | |
| tree | 183b9ec7e6897fb2cea7296b461a35ca93dfce6e | |
| parent | b17557f9f0cd0ba992415411040e20390fa881f0 (diff) | |
| download | nx-libs-70e9d346fe34af127d2c827c3678e53d0f4312ae.tar.gz nx-libs-70e9d346fe34af127d2c827c3678e53d0f4312ae.tar.bz2 nx-libs-70e9d346fe34af127d2c827c3678e53d0f4312ae.zip | |
Validation of server responses in XGetImage()
Check if enough bytes were received for specified image type and
geometry. Otherwise GetPixel and other functions could trigger an
out of boundary read later on.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
| -rw-r--r-- | nx-X11/lib/X11/GetImage.c | 29 |
1 files changed, 20 insertions, 9 deletions
diff --git a/nx-X11/lib/X11/GetImage.c b/nx-X11/lib/X11/GetImage.c index 59fb45eb1..d80f6715f 100644 --- a/nx-X11/lib/X11/GetImage.c +++ b/nx-X11/lib/X11/GetImage.c @@ -59,6 +59,7 @@ XImage *XGetImage ( char *data; unsigned long nbytes; XImage *image; + int planes; LockDisplay(dpy); GetReq (GetImage, req); /* @@ -91,18 +92,28 @@ XImage *XGetImage ( return (XImage *) NULL; } _XReadPad (dpy, data, nbytes); - if (format == XYPixmap) - image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), - Ones (plane_mask & - (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), - format, 0, data, width, height, dpy->bitmap_pad, 0); - else /* format == ZPixmap */ - image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), - rep.depth, ZPixmap, 0, data, width, height, - _XGetScanlinePad(dpy, (int) rep.depth), 0); + if (format == XYPixmap) { + image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), + Ones (plane_mask & + (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), + format, 0, data, width, height, dpy->bitmap_pad, 0); + planes = image->depth; + } else { /* format == ZPixmap */ + image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), + rep.depth, ZPixmap, 0, data, width, height, + _XGetScanlinePad(dpy, (int) rep.depth), 0); + planes = 1; + } if (!image) Xfree(data); + if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || + INT_MAX / image->height <= image->bytes_per_line || + INT_MAX / planes <= image->height * image->bytes_per_line || + nbytes < planes * image->height * image->bytes_per_line) { + XDestroyImage(image); + image = NULL; + } UnlockDisplay(dpy); SyncHandle(); return (image); |