From 58c298acc1045927e0d90be73b8dbc8837252589 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Tue, 1 Sep 2009 15:16:17 +1000
Subject: Xi: extra length checking for requests providing masks.

masks can be of arbitrary length. If the client did not initialize mask_len,
some sort of boundary check is needed to avoid running over memory.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 Xi/xiselectev.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/Xi/xiselectev.c b/Xi/xiselectev.c
index d7b16446f..eac12c50f 100644
--- a/Xi/xiselectev.c
+++ b/Xi/xiselectev.c
@@ -69,6 +69,7 @@ ProcXISelectEvents(ClientPtr client)
     DeviceIntRec dummy;
     xXIEventMask *evmask;
     int *types = NULL;
+    int len;
 
     REQUEST(xXISelectEventsReq);
     REQUEST_AT_LEAST_SIZE(xXISelectEventsReq);
@@ -80,11 +81,18 @@ ProcXISelectEvents(ClientPtr client)
     if (rc != Success)
         return rc;
 
+    len = sz_xXISelectEventsReq;
+
     /* check request validity */
     evmask = (xXIEventMask*)&stuff[1];
     num_masks = stuff->num_masks;
     while(num_masks--)
     {
+        len += sizeof(xXIEventMask) + evmask->mask_len * 4;
+
+        if (bytes_to_int32(len) > stuff->length)
+            return BadLength;
+
         if (evmask->deviceid != XIAllDevices &&
             evmask->deviceid != XIAllMasterDevices)
             rc = dixLookupDevice(&dev, evmask->deviceid, client, DixUseAccess);
@@ -128,6 +136,9 @@ ProcXISelectEvents(ClientPtr client)
         evmask++;
     }
 
+    if (bytes_to_int32(len) != stuff->length)
+        return BadLength;
+
     /* Set masks on window */
     evmask = (xXIEventMask*)&stuff[1];
     num_masks = stuff->num_masks;
-- 
cgit v1.2.3