MFC: Xi: integer overflow and unvalidated length in

(S)ProcXIBarrierReleasePointer [jcristau: originally this patch fixed the same issue as commit 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the addition of these checks] This addresses CVE-2017-12179
2017-10-14 09:30:50 +00:00 · 2017-10-14 09:30:50 +00:00 · 74d10c412f
commit 74d10c412f
parent 792e23cc09
1 changed files with 5 additions and 0 deletions
--- a/xserver/Xi/xibarriers.c
+++ b/xserver/Xi/xibarriers.c
@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);

    swapl(&stuff->num_barriers);
+    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+        return BadLength;
    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));

    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
    xXIBarrierReleasePointerInfo *info;

    REQUEST(xXIBarrierReleasePointerReq);
+    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+        return BadLength;
    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));

    info = (xXIBarrierReleasePointerInfo*) &stuff[1];