1 From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001

     2 From: Alan Coopersmith <[email protected]>

     3 Date: Sat, 9 Mar 2013 11:44:14 -0800

     4 Subject: [PATCH:libXt 2/3] unvalidated length in _XtResourceConfigurationEH

     5  [CVE-2013-2002]

     6 

     7 The RCM_DATA property is expected to be in the format:

     8     resource_length, resource, value

     9 

    10 If the property contains a resource_length thats results in a pointer

    11 outside the property string, memory corruption can occur.

    12 

    13 Reported-by: Ilja Van Sprundel <[email protected]>

    14 Signed-off-by: Alan Coopersmith <[email protected]>

    15 ---

    16  src/ResConfig.c |   41 ++++++++++++++++++++++++++---------------

    17  1 file changed, 26 insertions(+), 15 deletions(-)

    18 

    19 diff --git a/src/ResConfig.c b/src/ResConfig.c

    20 index 68da536..1f3edbe 100644

    21 --- a/src/ResConfig.c

    22 +++ b/src/ResConfig.c

    23 @@ -971,26 +971,37 @@ _XtResourceConfigurationEH (

    24  	 *      resource and value fields.

    25  	 */

    26  		if (data) {

    27 +			char *data_end = data + nitems;

    28 +			char *data_value;

    29 +

    30  			resource_len = Strtoul ((void *)data, &data_ptr, 10);

    31 -			data_ptr++;

    32  

    33 -			data_ptr[resource_len] = '\0';

    34 +			if (data_ptr != (char *) data) {

    35 +				data_ptr++;

    36 +				data_value = data_ptr + resource_len;

    37 +			} else /* strtoul failed to convert a number */

    38 +				data_ptr = data_value = NULL;

    39 +

    40 +			if (data_value > data_ptr && data_value < data_end) {

    41 +				*data_value++ = '\0';

    42  

    43 -			resource = XtNewString (data_ptr);

    44 -			value = XtNewString (&data_ptr[resource_len + 1]);

    45 +				resource = XtNewString (data_ptr);

    46 +				value = XtNewString (data_value);

    47  #ifdef DEBUG

    48 -			fprintf (stderr, "resource_len=%d\n",resource_len);

    49 -			fprintf (stderr, "resource = %s\t value = %s\n",

    50 -					resource, value);

    51 +				fprintf (stderr, "resource_len=%d\n"

    52 +					 resource_len);

    53 +				fprintf (stderr, "resource = %s\t value = %s\n",

    54 +					 resource, value);

    55  #endif

    56 -			/*

    57 -			 * descend the application widget tree and

    58 -			 * apply the value to the appropriate widgets

    59 -			 */

    60 -			_search_widget_tree (w, resource, value);

    61 -

    62 -			XtFree (resource);

    63 -			XtFree (value);

    64 +				/*

    65 +				 * descend the application widget tree and

    66 +				 * apply the value to the appropriate widgets

    67 +				 */

    68 +				_search_widget_tree (w, resource, value);

    69 +

    70 +				XtFree (resource);

    71 +				XtFree (value);

    72 +			}

    73  		}

    74  	}

    75  

    76 -- 

    77 1.7.9.2

    78