From 0284afb80cefe1ae3c2567dd46427b5d425791b1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 11:25:25 -0800
Subject: unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]

Check the provided buffer size against the amount of data we're going to
write into it, not against the reported length from the ClientMessage.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/imTrX.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'nx-X11/lib/X11/imTrX.c')

diff --git a/nx-X11/lib/X11/imTrX.c b/nx-X11/lib/X11/imTrX.c
index eba328057..2b5455f1b 100644
--- a/nx-X11/lib/X11/imTrX.c
+++ b/nx-X11/lib/X11/imTrX.c
@@ -372,7 +372,7 @@ _XimXGetReadData(
 		XFree(prop_ret);
 	    return False;
 	}
-	if (buf_len >= length) {
+	if (buf_len >= (int)nitems) {
 	    (void)memcpy(buf, prop_ret, (int)nitems);
 	    *ret_len  = (int)nitems;
 	    if (bytes_after_ret > 0) {
-- 
cgit v1.2.3