diff options
| author | Matthieu Herrb <matthieu@bluenote.herrb.com> | 2008-01-17 15:26:41 +0100 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@bluenote.herrb.com> | 2008-01-17 15:26:41 +0100 |
| commit | bbde5b62a137ba726a747b838d81e92d72c1b42b (patch) | |
| tree | 4d4a093cf9abcc54b6e2dc12bb145d18fd6a4813 | |
| parent | e85130c85f727466fc27be1cfa46c88b257499fb (diff) | |
Fix for CVE-2007-5760 - XFree86 Misc extension out of bounds array index
| -rw-r--r-- | hw/xfree86/common/xf86MiscExt.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/hw/xfree86/common/xf86MiscExt.c b/hw/xfree86/common/xf86MiscExt.c index c1b9c60fc..40c196a3e 100644 --- a/hw/xfree86/common/xf86MiscExt.c +++ b/hw/xfree86/common/xf86MiscExt.c @@ -548,6 +548,10 @@ MiscExtPassMessage(int scrnIndex, const char *msgtype, const char *msgval, { ScrnInfoPtr pScr = xf86Screens[scrnIndex]; + /* should check this in the protocol, but xf86NumScreens isn't exported */ + if (scrnIndex >= xf86NumScreens) + return BadValue; + if (*pScr->HandleMessage == NULL) return BadImplementation; return (*pScr->HandleMessage)(scrnIndex, msgtype, msgval, retstr); |