diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2016-09-25 21:22:57 +0200 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-19 21:40:30 +0200 |
commit | b17557f9f0cd0ba992415411040e20390fa881f0 (patch) | |
tree | 3d4bdcf4ad4df7553febbbeb4e2f608a32b2acc2 /nx-X11/lib/X11/FontNames.c | |
parent | 68e3ee67c07282c11cd144fbdb767b41a6dacc4e (diff) | |
download | nx-libs-b17557f9f0cd0ba992415411040e20390fa881f0.tar.gz nx-libs-b17557f9f0cd0ba992415411040e20390fa881f0.tar.bz2 nx-libs-b17557f9f0cd0ba992415411040e20390fa881f0.zip |
The validation of server responses avoids out of boundary accesses.
v2: FontNames.c return a NULL list whenever a single
length field from the server is incohent.
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11/lib/X11/FontNames.c')
-rw-r--r-- | nx-X11/lib/X11/FontNames.c | 23 |
1 files changed, 17 insertions, 6 deletions
diff --git a/nx-X11/lib/X11/FontNames.c b/nx-X11/lib/X11/FontNames.c index 21dcafea1..e55f338ca 100644 --- a/nx-X11/lib/X11/FontNames.c +++ b/nx-X11/lib/X11/FontNames.c @@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ if (rep.nFonts) { flist = Xmalloc (rep.nFonts * sizeof(char *)); - if (rep.length < (INT_MAX >> 2)) { + if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { rlen = rep.length << 2; ch = Xmalloc(rlen + 1); /* +1 to leave room for last null-terminator */ @@ -93,11 +93,22 @@ int *actualCount) /* RETURN */ if (ch + length < chend) { flist[i] = ch + 1; /* skip over length */ ch += length + 1; /* find next length ... */ - length = *(unsigned char *)ch; - *ch = '\0'; /* and replace with null-termination */ - count++; - } else - flist[i] = NULL; + if (ch <= chend) { + length = *(unsigned char *)ch; + *ch = '\0'; /* and replace with null-termination */ + count++; + } else { + Xfree(flist); + flist = NULL; + count = 0; + break; + } + } else { + Xfree(flist); + flist = NULL; + count = 0; + break; + } } } *actualCount = count; |