0002-unvalidated-length-in-_XtResourceConfigurationEH-CVE.patch 2.25 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78
From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 9 Mar 2013 11:44:14 -0800
Subject: [PATCH 2/2] unvalidated length in _XtResourceConfigurationEH
 [CVE-2013-2002]

The RCM_DATA property is expected to be in the format:
    resource_length, resource, value

If the property contains a resource_length thats results in a pointer
outside the property string, memory corruption can occur.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/ResConfig.c | 41 ++++++++++++++++++++++++++---------------
 1 file changed, 26 insertions(+), 15 deletions(-)

diff --git a/src/ResConfig.c b/src/ResConfig.c
index 68da536..1f3edbe 100644
--- a/src/ResConfig.c
+++ b/src/ResConfig.c
@@ -971,26 +971,37 @@ _XtResourceConfigurationEH (
 	 *      resource and value fields.
 	 */
 		if (data) {
+			char *data_end = data + nitems;
+			char *data_value;
+
 			resource_len = Strtoul ((void *)data, &data_ptr, 10);
-			data_ptr++;
 
-			data_ptr[resource_len] = '\0';
+			if (data_ptr != (char *) data) {
+				data_ptr++;
+				data_value = data_ptr + resource_len;
+			} else /* strtoul failed to convert a number */
+				data_ptr = data_value = NULL;
+
+			if (data_value > data_ptr && data_value < data_end) {
+				*data_value++ = '\0';
 
-			resource = XtNewString (data_ptr);
-			value = XtNewString (&data_ptr[resource_len + 1]);
+				resource = XtNewString (data_ptr);
+				value = XtNewString (data_value);
 #ifdef DEBUG
-			fprintf (stderr, "resource_len=%d\n",resource_len);
-			fprintf (stderr, "resource = %s\t value = %s\n",
-					resource, value);
+				fprintf (stderr, "resource_len=%d\n"
+					 resource_len);
+				fprintf (stderr, "resource = %s\t value = %s\n",
+					 resource, value);
 #endif
-			/*
-			 * descend the application widget tree and
-			 * apply the value to the appropriate widgets
-			 */
-			_search_widget_tree (w, resource, value);
-
-			XtFree (resource);
-			XtFree (value);
+				/*
+				 * descend the application widget tree and
+				 * apply the value to the appropriate widgets
+				 */
+				_search_widget_tree (w, resource, value);
+
+				XtFree (resource);
+				XtFree (value);
+			}
 		}
 	}
 
-- 
1.8.2.3