MFC: dbe: Unvalidated variable-length request in
ProcDbeGetVisualInfo (CVE-2017-12177) v2: Protect against integer overflow (Alan Coopersmith)
This commit is contained in:
matthieu
parent
394a8aee54
commit
186982901a
@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
|||||||
XdbeScreenVisualInfo *pScrVisInfo;
|
XdbeScreenVisualInfo *pScrVisInfo;
|
||||||
|
|
||||||
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
|
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
|
||||||
|
if (stuff->n > UINT32_MAX / sizeof(CARD32))
|
||||||
|
return BadLength;
|
||||||
|
REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
|
||||||
|
|
||||||
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
|
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
|
||||||
return BadAlloc;
|
return BadAlloc;
|
||||||
@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
|
|||||||
|
|
||||||
swapl(&stuff->n);
|
swapl(&stuff->n);
|
||||||
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
|
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
|
||||||
return BadAlloc;
|
return BadLength;
|
||||||
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
|
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
|
||||||
|
|
||||||
if (stuff->n != 0) {
|
if (stuff->n != 0) {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user