From 5a595260aa4f99f0f1e01bcc6cf80c9f7de6b223 Mon Sep 17 00:00:00 2001 From: todd Date: Wed, 4 Apr 2007 02:50:29 +0000 Subject: [PATCH] XC-MISC CVE-2007-1003 XC-MISC Extension ProcXCMiscGetXIDList Memory Corruption Vulnerability This vulnerability was discovered by Sean Larsson, iDefense Labs. from matthieu@ --- xserver/Xext/xcmisc.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/xserver/Xext/xcmisc.c b/xserver/Xext/xcmisc.c index f26218e97..8c7a86e6a 100644 --- a/xserver/Xext/xcmisc.c +++ b/xserver/Xext/xcmisc.c @@ -42,6 +42,12 @@ from The Open Group. #include #include "modinit.h" +#if HAVE_STDINT_H +#include +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + #if 0 static unsigned char XCMiscCode; #endif @@ -143,7 +149,10 @@ ProcXCMiscGetXIDList(client) REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); - pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID)); + if (stuff->count > UINT32_MAX / sizeof(XID)) + return BadAlloc; + + pids = (XID *)Xalloc(stuff->count * sizeof(XID)); if (!pids) { return BadAlloc; @@ -164,7 +173,7 @@ ProcXCMiscGetXIDList(client) client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write; WriteSwappedDataToClient(client, count * sizeof(XID), pids); } - DEALLOCATE_LOCAL(pids); + Xfree(pids); return(client->noClientException); }