|
1 From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001 |
|
2 From: Alan Coopersmith <[email protected]> |
|
3 Date: Sat, 9 Mar 2013 11:44:14 -0800 |
|
4 Subject: [PATCH:libXt 2/3] unvalidated length in _XtResourceConfigurationEH |
|
5 [CVE-2013-2002] |
|
6 |
|
7 The RCM_DATA property is expected to be in the format: |
|
8 resource_length, resource, value |
|
9 |
|
10 If the property contains a resource_length thats results in a pointer |
|
11 outside the property string, memory corruption can occur. |
|
12 |
|
13 Reported-by: Ilja Van Sprundel <[email protected]> |
|
14 Signed-off-by: Alan Coopersmith <[email protected]> |
|
15 --- |
|
16 src/ResConfig.c | 41 ++++++++++++++++++++++++++--------------- |
|
17 1 file changed, 26 insertions(+), 15 deletions(-) |
|
18 |
|
19 diff --git a/src/ResConfig.c b/src/ResConfig.c |
|
20 index 68da536..1f3edbe 100644 |
|
21 --- a/src/ResConfig.c |
|
22 +++ b/src/ResConfig.c |
|
23 @@ -971,26 +971,37 @@ _XtResourceConfigurationEH ( |
|
24 * resource and value fields. |
|
25 */ |
|
26 if (data) { |
|
27 + char *data_end = data + nitems; |
|
28 + char *data_value; |
|
29 + |
|
30 resource_len = Strtoul ((void *)data, &data_ptr, 10); |
|
31 - data_ptr++; |
|
32 |
|
33 - data_ptr[resource_len] = '\0'; |
|
34 + if (data_ptr != (char *) data) { |
|
35 + data_ptr++; |
|
36 + data_value = data_ptr + resource_len; |
|
37 + } else /* strtoul failed to convert a number */ |
|
38 + data_ptr = data_value = NULL; |
|
39 + |
|
40 + if (data_value > data_ptr && data_value < data_end) { |
|
41 + *data_value++ = '\0'; |
|
42 |
|
43 - resource = XtNewString (data_ptr); |
|
44 - value = XtNewString (&data_ptr[resource_len + 1]); |
|
45 + resource = XtNewString (data_ptr); |
|
46 + value = XtNewString (data_value); |
|
47 #ifdef DEBUG |
|
48 - fprintf (stderr, "resource_len=%d\n",resource_len); |
|
49 - fprintf (stderr, "resource = %s\t value = %s\n", |
|
50 - resource, value); |
|
51 + fprintf (stderr, "resource_len=%d\n" |
|
52 + resource_len); |
|
53 + fprintf (stderr, "resource = %s\t value = %s\n", |
|
54 + resource, value); |
|
55 #endif |
|
56 - /* |
|
57 - * descend the application widget tree and |
|
58 - * apply the value to the appropriate widgets |
|
59 - */ |
|
60 - _search_widget_tree (w, resource, value); |
|
61 - |
|
62 - XtFree (resource); |
|
63 - XtFree (value); |
|
64 + /* |
|
65 + * descend the application widget tree and |
|
66 + * apply the value to the appropriate widgets |
|
67 + */ |
|
68 + _search_widget_tree (w, resource, value); |
|
69 + |
|
70 + XtFree (resource); |
|
71 + XtFree (value); |
|
72 + } |
|
73 } |
|
74 } |
|
75 |
|
76 -- |
|
77 1.7.9.2 |
|
78 |