qbit/xenocara
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

MFC: Xi: Test exact size of XIBarrierReleasePointer

Browse Source 
Otherwise a client can send any value of num_barriers and cause
reading or swapping of values on heap behind the receive buffer.
This commit is contained in:
matthieu 2017-10-14 09:29:01 +00:00
parent 515a707d86
commit 792e23cc09
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
xserver/Xi/xibarriers.c
View File

@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST(xXIBarrierReleasePointerReq); REQUEST(xXIBarrierReleasePointerReq);
int i; int i;
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
swaps(&stuff->length); swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers); swapl(&stuff->num_barriers);
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) { for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid); swaps(&info->deviceid);
swapl(&info->barrier); swapl(&info->barrier);
@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info; xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq); REQUEST(xXIBarrierReleasePointerReq);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1]; info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) { for (i = 0; i < stuff->num_barriers; i++, info++) {