aboutsummaryrefslogtreecommitdiff
path: root/nxcomp/ListFontsReply.h
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 13:18:48 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:38 +0200
commit25172302a39c4e0c90dffbdcfa88b99ac442a2f9 (patch)
treec52ae736bbfb3e8c9891a8f8eb58c65267e37001 /nxcomp/ListFontsReply.h
parent8468165ae6ec55c715721c6e1991f67902b30564 (diff)
downloadnx-libs-25172302a39c4e0c90dffbdcfa88b99ac442a2f9.tar.gz
nx-libs-25172302a39c4e0c90dffbdcfa88b99ac442a2f9.tar.bz2
nx-libs-25172302a39c4e0c90dffbdcfa88b99ac442a2f9.zip
integer overflows in TransFileName() [CVE-2013-1981 9/13]
When trying to process file paths the tokens %H, %L, & %S are expanded to $HOME, the standard compose file path & the xlocaledir path. If enough of these tokens are repeated and values like $HOME are set to very large values, the calculation of the total string size required to hold the expanded path can overflow, resulting in allocating a smaller string than the amount of data we'll write to it. Simply restrict all of these values, and the total path size to PATH_MAX, because really, that's all you should need for a filename path. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nxcomp/ListFontsReply.h')
0 files changed, 0 insertions, 0 deletions