XC-MISC CVE-2007-1003
XC-MISC Extension ProcXCMiscGetXIDList Memory Corruption Vulnerability This vulnerability was discovered by Sean Larsson, iDefense Labs. from matthieu@
This commit is contained in:
parent
8617745fcc
commit
5a595260aa
@ -42,6 +42,12 @@ from The Open Group.
|
||||
#include <X11/extensions/xcmiscstr.h>
|
||||
#include "modinit.h"
|
||||
|
||||
#if HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
#elif !defined(UINT32_MAX)
|
||||
#define UINT32_MAX 0xffffffffU
|
||||
#endif
|
||||
|
||||
#if 0
|
||||
static unsigned char XCMiscCode;
|
||||
#endif
|
||||
@ -143,7 +149,10 @@ ProcXCMiscGetXIDList(client)
|
||||
|
||||
REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
|
||||
|
||||
pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
|
||||
if (stuff->count > UINT32_MAX / sizeof(XID))
|
||||
return BadAlloc;
|
||||
|
||||
pids = (XID *)Xalloc(stuff->count * sizeof(XID));
|
||||
if (!pids)
|
||||
{
|
||||
return BadAlloc;
|
||||
@ -164,7 +173,7 @@ ProcXCMiscGetXIDList(client)
|
||||
client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
|
||||
WriteSwappedDataToClient(client, count * sizeof(XID), pids);
|
||||
}
|
||||
DEALLOCATE_LOCAL(pids);
|
||||
Xfree(pids);
|
||||
return(client->noClientException);
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user