[PATCH libXpm] Fix out out boundary read on unknown colors

Matthieu Herrb Tue, 06 Dec 2016 13:39:41 -0800

From: Tobias Stoeckmann <tob...@stoeckmann.org>

libXpm is vulnerable to an out of boundary read if an XPM file contains
a color with a symbolic name but without any default color value.


A caller must set XpmColorSymbols and a color with a NULL name in
the supplied XpmAttributes to XpmReadFileToImage (or other functions of
this type) in order to trigger this issue.
---
 src/create.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/create.c b/src/create.c
index d013da9..a750846 100644
--- a/src/create.c
+++ b/src/create.c
@@ -647,7 +647,8 @@ CreateColors(
                        while (def_index <= 5 && defaults[def_index] == NULL)
                            ++def_index;
                    }
-                   if (def_index >= 2 && defaults[def_index] != NULL &&
+                   if (def_index >= 2 && def_index <= 5 &&
+                       defaults[def_index] != NULL &&
                        !xpmstrcasecmp(symbol->value, defaults[def_index]))
                        break;
                }
-- 
2.10.2

_______________________________________________
xorg-devel@lists.x.org: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: https://lists.x.org/mailman/listinfo/xorg-devel

[PATCH libXpm] Fix out out boundary read on unknown colors

Reply via email to