From cb98d3b3c5e0f8a7585ab6e2c909fad68c52fd55 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 3 May 2020 12:25:21 +0200 Subject: Fix segmentation fault on invalid add argument. The hex key supplied with an add command can be quoted, in which case the quotation marks are removed. The check itself makes sure that a given string starts with a double quotation mark and ends with a double quotation mark. Buf if only " is supplied, the code crashes because it subtracts 2 from the length (which is 1) and therefore copies too much memory into a 0 allocated memory area. Proof of concept: $ xauth add :0 0 \" --- process.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/process.c b/process.c index 148f14b..43f10e0 100644 --- a/process.c +++ b/process.c @@ -1614,7 +1614,7 @@ do_add(const char *inputfilename, int lineno, int argc, const char **argv) hexkey = argv[3]; len = strlen(hexkey); - if (hexkey[0] == '"' && hexkey[len-1] == '"') { + if (len > 1 && hexkey[0] == '"' && hexkey[len-1] == '"') { key = malloc(len-1); strncpy(key, hexkey+1, len-2); len -= 2; -- cgit v1.2.1