Discussion:
[Xcb] [Bug 107105] New: glyph.c ignores allocation failures with possible heap corruption
b***@freedesktop.org
2018-07-03 21:15:56 UTC
Permalink
https://bugs.freedesktop.org/show_bug.cgi?id=107105

Bug ID: 107105
Summary: glyph.c ignores allocation failures with possible heap
corruption
Product: XCB
Version: unspecified
Hardware: Other
OS: All
Status: NEW
Severity: normal
Priority: medium
Component: Utils
Assignee: ***@lists.freedesktop.org
Reporter: ***@courier-mta.com
QA Contact: ***@lists.freedesktop.org

In renderutil/glyph.c, _grow_stream() checks if realloc() fails, but doesn't
really do anything about that, and simply returns.

All existing callers of _grow_stream() assume that it succeeds, and proceed to
blindly memcpy() more stuff to the stream.

There's a remote chance of this being exploitable. An attacker would have to
cause an application that uses xcb to:

- run out of memory

- proceed to create a text stream consisting of glyph data that overwrites and
corrupts the existing heap space, in some controlled way.

A brief survey of the existing calls to _grow_stream() suggests that plugging
this hole is trivial -- have _grow_stream() return an error indication, and all
existing calls to _grow_stream() in glyph.c can simply return, in that case.
--
You are receiving this mail because:
You are the assignee for the bug.
You are the QA Contact for the bug.
Loading...