aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/X11
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-01 18:37:37 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-19 21:40:27 +0200
commit7992a98737cfc8a61b996951cb126820c87277dd (patch)
tree40e11e06ea10f82175c945350ba33a41e7a83c55 /nx-X11/lib/X11
parent78b0ca2fe42ca998708490854d5f5f38ca90d0a8 (diff)
downloadnx-libs-7992a98737cfc8a61b996951cb126820c87277dd.tar.gz
nx-libs-7992a98737cfc8a61b996951cb126820c87277dd.tar.bz2
nx-libs-7992a98737cfc8a61b996951cb126820c87277dd.zip
integer overflow in ReadInFile() in Xrm.c [CVE-2013-1981 7/13]
Called from XrmGetFileDatabase() which gets called from InitDefaults() which gets the filename from getenv ("XENVIRONMENT") If file is exactly 0xffffffff bytes long (or longer and truncates to 0xffffffff, on implementations where off_t is larger than an int), then size may be set to a value which overflows causing less memory to be allocated than is written to by the following read() call. size is left limited to an int, because if your Xresources file is larger than 2gb, you're very definitely doing it wrong. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11/lib/X11')
-rw-r--r--nx-X11/lib/X11/Xrm.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/nx-X11/lib/X11/Xrm.c b/nx-X11/lib/X11/Xrm.c
index e498e4e5a..6adbc0dda 100644
--- a/nx-X11/lib/X11/Xrm.c
+++ b/nx-X11/lib/X11/Xrm.c
@@ -62,6 +62,7 @@ from The Open Group.
#endif
#include <nx-X11/Xos.h>
#include <sys/stat.h>
+#include <limits.h>
#include "Xresinternal.h"
#include "Xresource.h"
@@ -1595,11 +1596,12 @@ ReadInFile(_Xconst char *filename)
*/
{
struct stat status_buffer;
- if ( (fstat(fd, &status_buffer)) == -1 ) {
+ if ( ((fstat(fd, &status_buffer)) == -1 ) ||
+ (status_buffer.st_size >= INT_MAX) ) {
close (fd);
return (char *)NULL;
} else
- size = status_buffer.st_size;
+ size = (int) status_buffer.st_size;
}
if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */