From 0284afb80cefe1ae3c2567dd46427b5d425791b1 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 2 Mar 2013 11:25:25 -0800 Subject: unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15] Check the provided buffer size against the amount of data we're going to write into it, not against the reported length from the ClientMessage. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Matthieu Herrb Signed-off-by: Julien Cristau Backported-to-NX-by: Ulrich Sibiller --- nx-X11/lib/X11/imTrX.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nx-X11/lib/X11/imTrX.c b/nx-X11/lib/X11/imTrX.c index eba328057..2b5455f1b 100644 --- a/nx-X11/lib/X11/imTrX.c +++ b/nx-X11/lib/X11/imTrX.c @@ -372,7 +372,7 @@ _XimXGetReadData( XFree(prop_ret); return False; } - if (buf_len >= length) { + if (buf_len >= (int)nitems) { (void)memcpy(buf, prop_ret, (int)nitems); *ret_len = (int)nitems; if (bytes_after_ret > 0) { -- cgit v1.2.3