From 6ca496b7c3ccfd677c8c1bee88cc509a5e3c9e04 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Mon, 21 Sep 2015 22:36:41 -0700 Subject: dri2: better checks for integer overflow in GetBuffers* Check for integer overflow before using stuff->count in a multiplication, to avoid compiler optimizing out due to undefined behaviour, but only after we've checked to make sure stuff->count is in the range of the request we're parsing. Reported-by: jes@posteo.de Reviewed-by: Adam Jackson Signed-off-by: Alan Coopersmith --- hw/xfree86/dri2/dri2ext.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'hw/xfree86/dri2/dri2ext.c') diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c index 221ec530b..520b7cfb8 100644 --- a/hw/xfree86/dri2/dri2ext.c +++ b/hw/xfree86/dri2/dri2ext.c @@ -269,9 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client) int status, width, height, count; unsigned int *attachments; - REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); - if (stuff->count > (INT_MAX / 4)) + REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq); + /* stuff->count is a count of CARD32 attachments that follows */ + if (stuff->count > (INT_MAX / sizeof(CARD32))) return BadLength; + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * sizeof(CARD32)); if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, &pDrawable, &status)) @@ -297,7 +299,13 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client) int status, width, height, count; unsigned int *attachments; - REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4)); + REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq); + /* stuff->count is a count of pairs of CARD32s (attachments & formats) + that follows */ + if (stuff->count > (INT_MAX / (2 * sizeof(CARD32)))) + return BadLength; + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, + stuff->count * (2 * sizeof(CARD32))); if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, &pDrawable, &status)) return status; -- cgit v1.2.3