diff options
author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2008-06-08 11:16:23 -0600 |
---|---|---|
committer | Matthieu Herrb <matthieu@bluenote.herrb.net> | 2008-06-10 11:43:43 -0600 |
commit | 08e6292e7efff518730e3c54f3a082c6139d618d (patch) | |
tree | eb19637c4f189669d9cf7a47ab9a3ef33bcfa43d | |
parent | 8ffaf613705a915c4b53ae11096dacd786fd1d22 (diff) |
CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
-rw-r--r-- | Xext/shm.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/Xext/shm.c b/Xext/shm.c index 3c0d1eef0..de908cfe8 100644 --- a/Xext/shm.c +++ b/Xext/shm.c @@ -848,8 +848,17 @@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; |