qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MFC: Unvalidated lengths

Browse Source 
v2: Add overflow check and remove unnecessary check (Julien Cristau)

This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER
This commit is contained in:
matthieu 2017-10-14 09:20:42 +00:00
parent fe08a081d8
commit 3b3c79f0b0
7 changed files with 17 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
xserver/Xext/panoramiX.c
View File

@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
xPanoramiXGetScreenSizeReply rep;
int rc;
REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
if (stuff->screen >= PanoramiXNumScreens)
return BadMatch;
REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;

2
xserver/Xext/saver.c
View File

@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
PanoramiXRes *draw;
int rc, i;
REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (rc != Success)

4
xserver/Xext/xres.c
View File

@ -1039,6 +1039,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
ConstructResourceBytesCtx ctx;
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
return BadLength;
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(ctx.specs[0]));
@ -1144,8 +1146,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
int c;
xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
swapl(&stuff->numSpecs);
REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
swapl(&stuff->numSpecs);
REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
stuff->numSpecs * sizeof(specs[0]));

4
xserver/Xext/xvdisp.c
View File

@ -1496,12 +1496,14 @@ XineramaXvShmPutImage(ClientPtr client)
{
REQUEST(xvShmPutImageReq);
PanoramiXRes *draw, *gc, *port;
Bool send_event = stuff->send_event;
Bool send_event;
Bool isRoot;
int result, i, x, y;
REQUEST_SIZE_MATCH(xvShmPutImageReq);
send_event = stuff->send_event;
result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
XRC_DRAWABLE, client, DixWriteAccess);
if (result != Success)

2
xserver/hw/dmx/dmxpict.c
View File

@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
filter = (char *) (stuff + 1);
params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
nparams = ((XFixed *) stuff + client->req_len) - params;
if (nparams < 0)
return BadLength;
XRenderSetPictureFilter(dmxScreen->beDisplay,
pPictPriv->pict, filter, params, nparams);

3
xserver/pseudoramiX/pseudoramiX.c
View File

@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
TRACE;
REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
if (stuff->screen >= pseudoramiXNumScreens)
return BadMatch;
REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
if (rc != Success)
return rc;

3
xserver/render/render.c
View File

@ -1770,6 +1770,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
name = (char *) (stuff + 1);
params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
nparams = ((xFixed *) stuff + client->req_len) - params;
if (nparams < 0)
return BadLength;
result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
return result;
}