diff options
author | Nathan Kidd <nkidd@opentext.com> | 2015-01-09 10:04:41 -0500 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2017-10-10 23:33:44 +0200 |
commit | d088e3c1286b548a58e62afdc70bb40981cdb9e8 (patch) | |
tree | ff96e7602892cd9a0eea72e9da20569c064dda3b | |
parent | 1b1d4c04695dced2463404174b50b3581dbd857b (diff) |
Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
-rw-r--r-- | Xi/xibarriers.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c index d82ecb6a5..d0be70135 100644 --- a/Xi/xibarriers.c +++ b/Xi/xibarriers.c @@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client) REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); swapl(&stuff->num_barriers); + if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) + return BadLength; REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); info = (xXIBarrierReleasePointerInfo*) &stuff[1]; @@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client) xXIBarrierReleasePointerInfo *info; REQUEST(xXIBarrierReleasePointerReq); + REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); + if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) + return BadLength; REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); info = (xXIBarrierReleasePointerInfo*) &stuff[1]; |