Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Backports:SLE-15-SP4:FactoryCandidates
Mesa
u_mesa-CVE-2023-45919.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File u_mesa-CVE-2023-45919.patch of Package Mesa
src/glx/glx_query.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) --- a/src/glx/glx_query.c +++ b/src/glx/glx_query.c @@ -53,6 +53,13 @@ __glXQueryServerString(Display * dpy, in /* The spec doesn't mention this, but the Xorg server replies with * a string already terminated with '\0'. */ uint32_t len = xcb_glx_query_server_string_string_length(reply); + /* Allow a max of 64kb string length */ + size_t reply_len = strnlen(xcb_glx_query_server_string_string(reply), 64*1024); + if (reply_len + 1 != len) + { + free(reply); + return(NULL); + } char *buf = malloc(len); memcpy(buf, xcb_glx_query_server_string_string(reply), len); free(reply); @@ -77,6 +84,12 @@ __glXGetString(Display * dpy, int opcode /* The spec doesn't mention this, but the Xorg server replies with * a string already terminated with '\0'. */ uint32_t len = xcb_glx_get_string_string_length(reply); + size_t reply_len = strnlen(xcb_glx_get_string_string(reply), 64*1024); + if (reply_len + 1 != len) + { + free(reply); + return(NULL); + } char *buf = malloc(len); memcpy(buf, xcb_glx_get_string_string(reply), len); free(reply);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor