MFC: Xi: Test exact size of XIBarrierReleasePointer
Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
This commit is contained in:
parent
515a707d86
commit
792e23cc09
@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
|
||||
REQUEST(xXIBarrierReleasePointerReq);
|
||||
int i;
|
||||
|
||||
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
|
||||
|
||||
swaps(&stuff->length);
|
||||
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
|
||||
|
||||
swapl(&stuff->num_barriers);
|
||||
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
|
||||
|
||||
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
|
||||
for (i = 0; i < stuff->num_barriers; i++, info++) {
|
||||
swaps(&info->deviceid);
|
||||
swapl(&info->barrier);
|
||||
@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
|
||||
xXIBarrierReleasePointerInfo *info;
|
||||
|
||||
REQUEST(xXIBarrierReleasePointerReq);
|
||||
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
|
||||
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
|
||||
|
||||
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
|
||||
for (i = 0; i < stuff->num_barriers; i++, info++) {
|
||||
|
Loading…
Reference in New Issue
Block a user