MFC: Xi: Test exact size of XIBarrierReleasePointer

Otherwise a client can send any value of num_barriers and cause
reading or swapping of values on heap behind the receive buffer.
This commit is contained in:
matthieu 2017-10-14 09:29:01 +00:00
parent 515a707d86
commit 792e23cc09

View File

@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST(xXIBarrierReleasePointerReq);
int i;
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers);
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid);
swapl(&info->barrier);
@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {