Bug 107105 - glyph.c ignores allocation failures with possible heap corruption
Summary: glyph.c ignores allocation failures with possible heap corruption
Status: RESOLVED MOVED
Alias: None
Product: XCB
Classification: Unclassified
Component: Utils (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: xcb mailing list dummy
QA Contact: xcb mailing list dummy
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-03 21:15 UTC by Sam Varshavchik
Modified: 2019-02-16 19:44 UTC (History)
0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Sam Varshavchik 2018-07-03 21:15:56 UTC 
In renderutil/glyph.c, _grow_stream() checks if realloc() fails, but doesn't really do anything about that, and simply returns.

All existing callers of _grow_stream() assume that it succeeds, and proceed to blindly memcpy() more stuff to the stream.

There's a remote chance of this being exploitable. An attacker would have to cause an application that uses xcb to:

- run out of memory

- proceed to create a text stream consisting of glyph data that overwrites and corrupts the existing heap space, in some controlled way.

A brief survey of the existing calls to _grow_stream() suggests that plugging this hole is trivial -- have _grow_stream() return an error indication, and all existing calls to _grow_stream() in glyph.c can simply return, in that case.
Comment 1 GitLab Migration User 2019-02-16 19:44:31 UTC 
-- GitLab Migration Automatic Message --

This bug has been migrated to freedesktop.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.freedesktop.org/xorg/lib/libxcb-cursor/issues/7.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.