The validation of server responses avoids out of boundary accesses.

v2: FontNames.c return a NULL list whenever a single length field from the server is incohent. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

The validation of server responses avoids out of boundary accesses.
b17557f9 · Tobias Stoeckmann · Ulrich Sibiller · 68e3ee67 · b17557f9 · b17557f9
Commit b17557f9 authored Sep 25, 2016 by Tobias Stoeckmann Committed by Ulrich Sibiller Oct 19, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 27 additions and 11 deletions

FontNames.c nx-X11/lib/X11/FontNames.c +17 -6

ListExt.c nx-X11/lib/X11/ListExt.c +8 -4

ModMap.c nx-X11/lib/X11/ModMap.c +2 -1

No files found.
--- a/nx-X11/lib/X11/FontNames.c
+++ b/nx-X11/lib/X11/FontNames.c
@@ -66,7 +66,7 @@ int *actualCount)	/* RETURN */

    if (rep.nFonts) {
 	flist = Xmalloc (rep.nFonts * sizeof(char *));
-	if (rep.length < (INT_MAX >> 2)) {
+	if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
 	    rlen = rep.length << 2;
 	    ch = Xmalloc(rlen + 1);
 	    /* +1 to leave room for last null-terminator */
@@ -93,11 +93,22 @@ int *actualCount)	/* RETURN */
 	    if (ch + length < chend) {
 		flist[i] = ch + 1;  /* skip over length */
 		ch += length + 1;  /* find next length ... */
-		length = *(unsigned char *)ch;
-		*ch = '\0';  /* and replace with null-termination */
-		count++;
-	    } else
-		flist[i] = NULL;
+		if (ch <= chend) {
+		    length = *(unsigned char *)ch;
+		    *ch = '\0';  /* and replace with null-termination */
+		    count++;
+		} else {
+                    Xfree(flist);
+                    flist = NULL;
+                    count = 0;
+                    break;
+		}
+	    } else {
+                Xfree(flist);
+                flist = NULL;
+                count = 0;
+                break;
+            }
 	}
    }
    *actualCount = count;

--- a/nx-X11/lib/X11/ListExt.c
+++ b/nx-X11/lib/X11/ListExt.c
@@ -55,7 +55,7 @@ char **XListExtensions(

 	if (rep.nExtensions) {
 	    list = Xmalloc (rep.nExtensions * sizeof (char *));
-	    if (rep.length < (INT_MAX >> 2)) {
+	    if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
 		rlen = rep.length << 2;
 		ch = Xmalloc (rlen + 1);
                /* +1 to leave room for last null-terminator */
@@ -80,9 +80,13 @@ char **XListExtensions(
 		if (ch + length < chend) {
 		    list[i] = ch+1;  /* skip over length */
 		    ch += length + 1; /* find next length ... */
-		    length = *ch;
-		    *ch = '\0'; /* and replace with null-termination */
-		    count++;
+		    if (ch <= chend) {
+			length = *ch;
+			*ch = '\0'; /* and replace with null-termination */
+			count++;
+		    } else {
+			list[i] = NULL;
+		    }
 		} else
 		    list[i] = NULL;
 	    }

--- a/nx-X11/lib/X11/ModMap.c
+++ b/nx-X11/lib/X11/ModMap.c
@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
    GetEmptyReq(GetModifierMapping, req);
    (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);

-    if (rep.length < (INT_MAX >> 2)) {
+    if (rep.length < (INT_MAX >> 2) &&
+	(rep.length >> 1) == rep.numKeyPerModifier) {
 	nbytes = (unsigned long)rep.length << 2;
 	res = Xmalloc(sizeof (XModifierKeymap));
 	if (res)