From f5af3b21bc94cb020f3530c3cc70f8a9fd6c6452 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 3 May 2020 12:29:53 +0200
Subject: Prevent OOB write with long file names.

If an -f argument is exactly 1022 characters in size, an off-by-one
stack overflow happens in auth_finalize. The overflow could be even
larger if locks are ignored for authentication files.

Make sure that a given authentication file name fits into temporary
buffer and that this buffer matches buffer sizes of libXau which is
used by xauth.
---
 process.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/process.c b/process.c
index 43f10e0..044611b 100644
--- a/process.c
+++ b/process.c
@@ -697,6 +697,10 @@ auth_initialize(const char *authfilename)
     FILE *authfp;
     Bool exists;
 
+    if (strlen(authfilename) > 1022) {
+	fprintf (stderr, "%s: authority file name \"%s\" too long\n",
+		 ProgramName, authfilename);
+    }
     xauth_filename = authfilename;    /* used in cleanup, prevent race with
                                          signals */
     register_signals ();
@@ -854,7 +858,7 @@ write_auth_file(char *tmp_nam)
 int
 auth_finalize(void)
 {
-    char temp_name[1024];	/* large filename size */
+    char temp_name[1025];	/* large filename size */
 
     if (xauth_modified) {
 	if (dieing) {
-- 
cgit v1.2.1