Reject string longer than USHRT_MAX before sending them on the wire

The X protocol uses CARD16 values to represent the length so this would overflow. CVE-2021-31535 Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>
author: Matthieu Herrb <matthieu@herrb.eu> 2021-02-19 15:30:39 +0100
committer: Matthieu Herrb <matthieu.herrb@laas.fr> 2021-05-18 13:57:49 +0200
commit: 8d2e02ae650f00c4a53deb625211a0527126c605 (patch)
tree: 726fc0c062d2953b13bfdf3d9ec8d63724e4140c /src/Font.c
parent: 838ea5a5a0267c25b20c095c9a70684edeeefba4 (diff)
download: xorg-lib-libX11-8d2e02ae650f00c4a53deb625211a0527126c605.tar.gz
1 files changed, 3 insertions, 1 deletions
diff --git a/src/Font.c b/src/Font.c
index d4ebdaca..1cd89cca 100644
--- a/src/Font.c
+++ b/src/Font.c
@@ -102,6 +102,8 @@ XFontStruct *XLoadQueryFont(
     XF86BigfontCodes *extcodes = _XF86BigfontCodes(dpy);
 #endif
 
+    if (strlen(name) >= USHRT_MAX)
+        return NULL;
     if (_XF86LoadQueryLocaleFont(dpy, name, &font_result, (Font *)0))
       return font_result;
     LockDisplay(dpy);
@@ -663,7 +665,7 @@ int _XF86LoadQueryLocaleFont(
     if (!name)
 	return 0;
     l = (int) strlen(name);
-    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-')
+    if (l < 2 || name[l - 1] != '*' || name[l - 2] != '-' || l >= USHRT_MAX)
 	return 0;
     charset = NULL;
     /* next three lines stolen from _XkbGetCharset() */
author	Matthieu Herrb <matthieu@herrb.eu>	2021-02-19 15:30:39 +0100
committer	Matthieu Herrb <matthieu.herrb@laas.fr>	2021-05-18 13:57:49 +0200
commit	8d2e02ae650f00c4a53deb625211a0527126c605 (patch)
tree	726fc0c062d2953b13bfdf3d9ec8d63724e4140c /src/Font.c
parent	838ea5a5a0267c25b20c095c9a70684edeeefba4 (diff)
download	xorg-lib-libX11-8d2e02ae650f00c4a53deb625211a0527126c605.tar.gz