> Tobias Stoeckmann <tob...@stoeckmann.org> hat am 7. Februar 2019 um 20:54 > geschrieben: > > > Command line arguments are copied into clientargv and serverargv without > verifying that enough space is available. A high amount of arguments can > therefore trigger a buffer overflow like this: > > $ xinit $(seq 1 500) > > Signed-off-by: Tobias Stoeckmann <tob...@stoeckmann.org>
works for me Reviewed-by: Walter Harms wharms@bfs,de > --- > Integrated calculation as suggested by Walter with style according to > rest of the code. > --- > xinit.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > > diff --git a/xinit.c b/xinit.c > index f826b7a..06c92b2 100644 > --- a/xinit.c > +++ b/xinit.c > @@ -151,7 +151,6 @@ main(int argc, char *argv[]) > register char **ptr; > pid_t pid; > int client_given = 0, server_given = 0; > - int client_args_given = 0, server_args_given = 0; > int start_of_client_args, start_of_server_args; > struct sigaction sa, si; > #ifdef __APPLE__ > @@ -174,7 +173,8 @@ main(int argc, char *argv[]) > } > start_of_client_args = (cptr - client); > while (argc && strcmp(*argv, "--")) { > - client_args_given++; > + if (cptr > clientargv + sizeof(clientargv) / sizeof(*clientargv) - 2) > + Fatalx("too many client arguments"); > *cptr++ = *argv++; > argc--; > } > @@ -202,7 +202,8 @@ main(int argc, char *argv[]) > > start_of_server_args = (sptr - server); > while (--argc >= 0) { > - server_args_given++; > + if (sptr > serverargv + sizeof(serverargv) / sizeof(*serverargv) - 2) > + Fatalx("too many server arguments"); > *sptr++ = *argv++; > } > *sptr = NULL; > -- > 2.20.1 > > _______________________________________________ > xorg-devel@lists.x.org: X.Org development > Archives: http://lists.x.org/archives/xorg-devel > Info: https://lists.x.org/mailman/listinfo/xorg-devel _______________________________________________ xorg-devel@lists.x.org: X.Org development Archives: http://lists.x.org/archives/xorg-devel Info: https://lists.x.org/mailman/listinfo/xorg-devel