X.Org security advisory: CVE-2013-4396: Use after free in Xserver handling of ImageText requests
X.Org Security Advisory: October 8, 2013 - CVE-2013-4396
Use after free in Xserver handling of ImageText requests
Description:
Pedro Ribeiro (pedrib at gmail.com) reported an issue to the X.Org
security
team in which an authenticated X client can cause an X server to use
memory
after it was freed, potentially leading to crash and/or memory
corruption.
Affected Versions
This bug appears to have been introduced in RCS version 1.42 on
1993/09/18,
and is thus believed to be present in every X server release starting
with
X11R6.0 up to the current xorg-server 1.14.3. (Manual inspection shows
it
is present in the sources from the X11R6 tarballs, but not in those from
the
X11R5 tarballs.)
Fixes
A fix is available via the attached patch, which is intended to be
included
in xorg-server 1.15.0 and 1.14.4.
http://lists.x.org/archives/xorg-announce/2013-October/002332.html
dix/dixfonts.c | 5 +
1 file changed, 5 insertions(+)
diff —git a/dix/dixfonts.c b/dix/dixfonts.c
index feb765d..2e34d37 100644
—- a/dix/dixfonts.c
+ b/dix/dixfonts.c
@@ –1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
GC *pGC;
unsigned char *data;
ITclosurePtr new_closure;
- ITclosurePtr old_closure;
/* We’re putting the client to sleep. We need to
save some state. Similar problem to that handled
@@ –1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
err = BadAlloc;
goto bail;
}
- old_closure = c;
*new_closure = *c;
c = new_closure;
data = malloc(c->nChars * itemSize);
if (!data) {
free©;
- c = old_closure;
err = BadAlloc;
goto bail;
}
@@ –1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
if (!pGC) {
free(c->data);
free©; - c = old_closure;
err = BadAlloc;
goto bail;
}
@@ –1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
FreeScratchGC(pGC);
free(c->data);
free©; - c = old_closure;
err = BadAlloc;
goto bail;
}
—
1.7.9.2
(from redmine: issue id 2518, created on 2013-12-17, closed on 2013-12-18)
- Relations:
- child #2519 (closed)
- child #2520 (closed)
- child #2521 (closed)