dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]

ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit eeae42d60bf3d5663ea088581f6c28a82cd17829) Signed-off-by: Julien Cristau <jcristau@debian.org>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-01-22 21:11:16 -0800
committer: Julien Cristau <jcristau@debian.org> 2014-12-09 17:50:12 +0100
commit: b022d4ef9d89c806024bd0cd367da1b249cc2b2d (patch)
tree: d2b2e105870c4d09b82c0276267b68cb83786ee2
parent: f1365eb0ec50bee7d99d4659319c4d93eb21642a (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/dix/dispatch.c b/dix/dispatch.c
index 4f830f7f4..01820bc0f 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -1956,6 +1956,9 @@ ProcPutImage(ClientPtr client)
     tmpImage = (char *) &stuff[1];
     lengthProto = length;
 
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if ((bytes_to_int32(lengthProto * stuff->height) +
          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
         return BadLength;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-01-22 21:11:16 -0800
committer	Julien Cristau <jcristau@debian.org>	2014-12-09 17:50:12 +0100
commit	b022d4ef9d89c806024bd0cd367da1b249cc2b2d (patch)
tree	d2b2e105870c4d09b82c0276267b68cb83786ee2
parent	f1365eb0ec50bee7d99d4659319c4d93eb21642a (diff)