qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

XC-MISC CVE-2007-1003

Browse Source 
XC-MISC Extension ProcXCMiscGetXIDList Memory Corruption
 Vulnerability

This vulnerability was discovered by Sean Larsson, iDefense Labs.

from matthieu@
This commit is contained in:
todd 2007-04-04 02:50:29 +00:00
parent 8617745fcc
commit 5a595260aa
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
xserver/Xext/xcmisc.c
View File

@ -42,6 +42,12 @@ from The Open Group.
#include <X11/extensions/xcmiscstr.h> #include <X11/extensions/xcmiscstr.h>
#include "modinit.h" #include "modinit.h"
#if HAVE_STDINT_H
#include <stdint.h>
#elif !defined(UINT32_MAX)
#define UINT32_MAX 0xffffffffU
#endif
#if 0 #if 0
static unsigned char XCMiscCode; static unsigned char XCMiscCode;
#endif #endif
@ -143,7 +149,10 @@ ProcXCMiscGetXIDList(client)
REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID)); if (stuff->count > UINT32_MAX / sizeof(XID))
return BadAlloc;
pids = (XID *)Xalloc(stuff->count * sizeof(XID));
if (!pids) if (!pids)
{ {
return BadAlloc; return BadAlloc;
@ -164,7 +173,7 @@ ProcXCMiscGetXIDList(client)
client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write; client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
WriteSwappedDataToClient(client, count * sizeof(XID), pids); WriteSwappedDataToClient(client, count * sizeof(XID), pids);
} }
DEALLOCATE_LOCAL(pids); Xfree(pids);
return(client->noClientException); return(client->noClientException);
} }