diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2017-03-19 17:55:07 +0100 |
---|---|---|
committer | Adam Jackson <ajax@redhat.com> | 2017-03-20 15:19:12 -0400 |
commit | 40c12a76c2ae57adefd3b1d412387ebbfe2fb784 (patch) | |
tree | 1f2b084f5f6b83dcf7af18f3db572ec6925f7a09 /record | |
parent | 1ad230682338a9d2fc6eca6966a5bebb007df32c (diff) |
record: Fix OOB access in ProcRecordUnregisterClients
If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.
An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
Reviewed-by: Adam Jackson <ajax@redhat.com>
Diffstat (limited to 'record')
-rw-r--r-- | record/record.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/record/record.c b/record/record.c index 3e8b497e7..fdcee7e00 100644 --- a/record/record.c +++ b/record/record.c @@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client) int i; REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq); - if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) != + if (INT_MAX / 4 < stuff->nClients || + (client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) != 4 * stuff->nClients) return BadLength; VERIFY_CONTEXT(pContext, stuff->context, client); |