XvQueryPortAttributes has two issues with regards to returning names for attributes that could possibly reveal information to a compromised server.
1) It does not guarantee that the name strings are nil terminated, instead trusting the names sent by the server.
2) If the last attribute(s) have sizes that would overflow the available text string space left, the name pointers will point to uninitialized memory with what ever contents was in the memory as returned by Xmalloc.
Because these attribute names need to be converted to atoms before being used by other API calls in libXv, it is possible that the uninitialized memory or memory pass the end of the unterminated string could be exposed to the server.
This is true as of libXv 1.0.8
Created attachment 80145 [details] [review]
Patch to fix
This patch attempts to fix this bug by ensuring that there is at least one nil byte at the end of all the name strings. This should prevent reading past the end of the allocation as well as exposing uninitialized memory.
The (INT_MAX/2) - 1 change isn't necessary because of rounding adding 1 will not overflow, but seems pointless to require the mental arithmetic every time the code was read. ( Proof: 2*(INT_MAX/2) == INT_MAX - 1 assuming integer math and that INT_MAX is always odd. )
Fix pushed to git master:
179ed25..22cc0c8 master -> master
Thanks for finding & fixing this!
on Jan 21, 2017 at 02:08:18.
(provided by the Example extension).