diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2015-09-21 22:36:41 -0700 |
---|---|---|
committer | Adam Jackson <ajax@redhat.com> | 2015-09-24 13:47:01 -0400 |
commit | 6ca496b7c3ccfd677c8c1bee88cc509a5e3c9e04 (patch) | |
tree | 3e467746e004d2b640b4e4107fca2707cbecf201 | |
parent | 6c2c6fb5a7b44f50811722eb8621afb272aff2e8 (diff) |
dri2: better checks for integer overflow in GetBuffers*
Check for integer overflow before using stuff->count in a multiplication,
to avoid compiler optimizing out due to undefined behaviour, but only
after we've checked to make sure stuff->count is in the range of the
request we're parsing.
Reported-by: jes@posteo.de
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | hw/xfree86/dri2/dri2ext.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c index 221ec530b..520b7cfb8 100644 --- a/hw/xfree86/dri2/dri2ext.c +++ b/hw/xfree86/dri2/dri2ext.c @@ -269,9 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client) int status, width, height, count; unsigned int *attachments; - REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); - if (stuff->count > (INT_MAX / 4)) + REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq); + /* stuff->count is a count of CARD32 attachments that follows */ + if (stuff->count > (INT_MAX / sizeof(CARD32))) return BadLength; + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * sizeof(CARD32)); if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, &pDrawable, &status)) @@ -297,7 +299,13 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client) int status, width, height, count; unsigned int *attachments; - REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4)); + REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq); + /* stuff->count is a count of pairs of CARD32s (attachments & formats) + that follows */ + if (stuff->count > (INT_MAX / (2 * sizeof(CARD32)))) + return BadLength; + REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, + stuff->count * (2 * sizeof(CARD32))); if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, &pDrawable, &status)) return status; |