Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Leap:15.2:Staging:E
libX11
u_crash-on-invalid-reply-in-XListExtensions.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File u_crash-on-invalid-reply-in-XListExtensions.patch of Package libX11
From 060fc58795737e13639f381a7ea55675fd5339c2 Mon Sep 17 00:00:00 2001 From: Stefan Dirsch <sndirsch@suse.de> Date: Tue, 14 Aug 2018 11:46:40 +0200 Subject: [PATCH] crash on invalid reply in XListExtensions References: bsc#1102073 CVE-2018-14598 If the server sends a reply in which even the first string would overflow the transmitted bytes, list[0] will be set to NULL and a count of 0 is returned. If the resulting list is freed with XFreeExtensionList later on, the first Xfree call: Xfree (list[0]-1) turns into Xfree (NULL-1) which will most likely trigger a segmentation fault. I have modified the code to return NULL if the first string would overflow, thus protecting XFreeExtensionList later on. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> --- src/ListExt.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/ListExt.c b/src/ListExt.c index 6537c4dc..ece9ba31 100644 --- a/src/ListExt.c +++ b/src/ListExt.c @@ -83,6 +83,11 @@ char **XListExtensions( length = (unsigned char) *ch; *ch = '\0'; /* and replace with null-termination */ count++; + } else if (i == 0) { + Xfree(list); + Xfree(ch); + list = NULL; + break; } else list[i] = NULL; } -- 2.16.4
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor