diff options
| author | Matthieu Herrb <matthieu@bluenote.herrb.com> | 2008-01-17 15:26:41 +0100 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@bluenote.herrb.com> | 2008-01-17 17:00:06 +0100 |
| commit | 59a3b83922c810316a374a19484b24901c7437ae (patch) | |
| tree | ba9eeeab157df4ffe42630ca9c963b404f328c31 | |
| parent | 636aa9e7be2822a0148067a11499ad48fe682cd9 (diff) | |
Fix for CVE-2007-5760 - XFree86 Misc extension out of bounds array index
| -rw-r--r-- | hw/xfree86/common/xf86MiscExt.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c index c1b9c60fc..40c196a3e 100644 --- a/hw/xfree86/common/xf86MiscExt.c +++ b/hw/xfree86/common/xf86MiscExt.c @@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval, { ScrnInfoPtr pScr = xf86Screens[scrnIndex]; + /* should check this in the protocol, but xf86NumScreens isn't exported */ + if (scrnIndex >= xf86NumScreens) + return BadValue; + if (*pScr->HandleMessage == NULL) return BadImplementation; return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr); |