diff options
author | Tobias Stoeckmann <tobias@stoeckmann.org> | 2017-03-19 17:55:07 +0100 |
---|---|---|
committer | Olivier Fourdan <ofourdan@redhat.com> | 2017-09-22 18:45:59 +0200 |
commit | e23000d83f8dbab4effd9f344f3d776634a1d56e (patch) | |
tree | 1368a2452a1a80083edce2029da2ae06bae5c1df | |
parent | 3166138ea681537dbe164e2888ccb96bb022220b (diff) |
record: Fix OOB access in ProcRecordUnregisterClients
If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.
An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 40c12a76c2ae57adefd3b1d412387ebbfe2fb784)
-rw-r--r-- | record/record.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/record/record.c b/record/record.c index 82bb0607e..600d55f53 100644 --- a/record/record.c +++ b/record/record.c @@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client) int i; REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq); - if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) != + if (INT_MAX / 4 < stuff->nClients || + (client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) != 4 * stuff->nClients) return BadLength; VERIFY_CONTEXT(pContext, stuff->context, client); |