Bug 65252 - XvQueryPortAttributes (libXv) does not guarantee nil-terminated names and can return uninitialized memory
XvQueryPortAttributes (libXv) does not guarantee nil-terminated names and can...
Status: RESOLVED FIXED
Product: xorg
Classification: Unclassified
Component: Lib/other
git
Other All
: medium normal
Assigned To: Alan Coopersmith
Xorg Project Team
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2013-06-02 02:09 UTC by Daphne Pfister
Modified: 2013-06-07 05:14 UTC (History)
0 users

See Also:


Attachments
Patch to fix (1.26 KB, patch)
2013-06-02 02:44 UTC, Daphne Pfister
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Daphne Pfister 2013-06-02 02:09:07 UTC
XvQueryPortAttributes has two issues with regards to returning names for attributes that could possibly reveal information to a compromised server.

1) It does not guarantee that the name strings are nil terminated, instead trusting the names sent by the server.
2) If the last attribute(s) have sizes that would overflow the available text string space left, the name pointers will point to uninitialized memory with what ever contents was in the memory as returned by Xmalloc.

Because these attribute names need to be converted to atoms before being used by other API calls in libXv, it is possible that the uninitialized memory or memory pass the end of the unterminated string could be exposed to the server.

This is true as of libXv 1.0.8
Comment 1 Daphne Pfister 2013-06-02 02:44:59 UTC
Created attachment 80145 [details] [review]
Patch to fix

This patch attempts to fix this bug by ensuring that there is at least one nil byte at the end of all the name strings. This should prevent reading past the end of the allocation as well as exposing uninitialized memory.

The (INT_MAX/2) - 1 change isn't necessary because of rounding adding 1 will not overflow, but seems pointless to require the mental arithmetic every time the code was read.  ( Proof: 2*(INT_MAX/2) == INT_MAX - 1 assuming integer math and that INT_MAX is always odd. )
Comment 2 Alan Coopersmith 2013-06-07 05:14:21 UTC
Fix pushed to git master:
To ssh://git.freedesktop.org/git/xorg/lib/libXv
   179ed25..22cc0c8  master -> master

http://cgit.freedesktop.org/xorg/lib/libXv/commit/?id=22cc0c897a28a41d49fe68277bb3c002f54bbb48

Thanks for finding & fixing this!