qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MFC: Xi: integer overflow and unvalidated length in

Browse Source 
(S)ProcXIBarrierReleasePointer

[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]

This addresses CVE-2017-12179
This commit is contained in:
matthieu 2017-10-14 09:30:50 +00:00
parent 792e23cc09
commit 74d10c412f
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
xserver/Xi/xibarriers.c
View File

@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers); swapl(&stuff->num_barriers);
if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1]; info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info; xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq); REQUEST(xXIBarrierReleasePointerReq);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1]; info = (xXIBarrierReleasePointerInfo*) &stuff[1];