Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dirkmueller:branches:openSUSE:Factory:Rings:1-MinimalX
Mesa
u_mesa-CVE-2023-45919.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File u_mesa-CVE-2023-45919.patch of Package Mesa
src/glx/glx_query.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) Index: mesa-24.3.0-rc1/src/glx/glx_query.c =================================================================== --- mesa-24.3.0-rc1.orig/src/glx/glx_query.c +++ mesa-24.3.0-rc1/src/glx/glx_query.c @@ -56,6 +56,13 @@ __glXQueryServerString(Display * dpy, CA /* The spec doesn't mention this, but the Xorg server replies with * a string already terminated with '\0'. */ uint32_t len = xcb_glx_query_server_string_string_length(reply); + /* Allow a max of 64kb string length */ + size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024); + if (reply_len + 1 != len) + { + free(reply); + return(NULL); + } char *buf = malloc(len); memcpy(buf, xcb_glx_query_server_string_string(reply), len); free(reply); @@ -83,6 +90,12 @@ __glXGetString(Display * dpy, CARD32 con /* The spec doesn't mention this, but the Xorg server replies with * a string already terminated with '\0'. */ uint32_t len = xcb_glx_get_string_string_length(reply); + size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024); + if (reply_len + 1 != len) + { + free(reply); + return(NULL); + } char *buf = malloc(len); memcpy(buf, xcb_glx_get_string_string(reply), len); free(reply);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor