CVE-2008-1379 - MIT-SHM arbitrary memory read

An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space. (cherry picked from commit 063f18ef6d7bf834225ddfd3527e58c078628f5f)
author: Matthieu Herrb <matthieu.herrb@laas.fr> 2008-06-10 12:20:43 -0600
committer: Jeremy Huddleston <jeremyhu@freedesktop.org> 2008-06-11 11:33:39 -0700
commit: b0a9b429613faacb71c0aad3f774a13bd7d985df (patch)
tree: 5f9bce97a00663cb66c59abfcb9ef6fa7265665e
parent: 2af571dbf176a1f77c2235d750356663f7e70282 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/Xext/shm.c b/Xext/shm.c
index be79862cb..e3fa2d33d 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -841,8 +841,17 @@ ProcShmPutImage(client)
         return BadValue;
     }
 
-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
     if (stuff->srcX > stuff->totalWidth)
     {
 	client->errorValue = stuff->srcX;
author	Matthieu Herrb <matthieu.herrb@laas.fr>	2008-06-10 12:20:43 -0600
committer	Jeremy Huddleston <jeremyhu@freedesktop.org>	2008-06-11 11:33:39 -0700
commit	b0a9b429613faacb71c0aad3f774a13bd7d985df (patch)
tree	5f9bce97a00663cb66c59abfcb9ef6fa7265665e
parent	2af571dbf176a1f77c2235d750356663f7e70282 (diff)