If the server returns a bogus (short) reply to a swapped QueryFont request, RcvRep swaps past the end of its buffer, smashing the heap.
Signed-off-by: Peter Harris <[email protected]> --- xts5/src/libproto/RcvRep.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/xts5/src/libproto/RcvRep.c b/xts5/src/libproto/RcvRep.c index c375d5a..946ce6f 100644 --- a/xts5/src/libproto/RcvRep.c +++ b/xts5/src/libproto/RcvRep.c @@ -374,6 +374,10 @@ int client; /* */ wbcopy(rbp,valuePtr, 32); break; case X_QueryFont: + if (rp->generic.length < 7) { + Length_Error(max(bytes_there,calculated_length<<2),client,rp,type,"QueryFont",7); + break; + } valuePtr = (unsigned char *) &(((xQueryFontReply *)rp)->minBounds); Unpack_Shorts((unsigned short *) valuePtr, &rbp, 6, needswap); rbp += 4; -- 2.1.0 _______________________________________________ [email protected]: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: http://lists.x.org/mailman/listinfo/xorg-devel
