diff options
author | Keith Packard <keithp@keithp.com> | 2014-12-09 09:30:57 -0800 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2014-12-09 20:54:11 +0100 |
commit | 044764b5c627d1a6e8ea1dd8cf741a26aeb4b2e7 (patch) | |
tree | 0d12aaf43e80f9cf6e345cf447bc379b930f63bd | |
parent | 73b1880eb37bd8ffbc3e36739e94f9b56b8323b9 (diff) |
dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.
At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.
Signed-off-by: Keith Packard <keithp@keithp.com
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit b20912c3d45cbbde3c443e6c3d9e189092fe65e1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
-rw-r--r-- | dbe/dbe.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client) int error; unsigned int i, j; unsigned int nStuff; + int nStuff_i; /* DDX API requires int for nStuff */ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); nStuff = stuff->n; /* use local variable for performance. */ @@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) * could deal with cross-screen synchronization. */ - while (nStuff > 0) { + nStuff_i = nStuff; + while (nStuff_i > 0) { pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); - error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); + error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); if (error != Success) { free(swapInfo); return error; |