dri2: better checks for integer overflow in GetBuffers*

Check for integer overflow before using stuff->count in a multiplication,
to avoid compiler optimizing out due to undefined behaviour, but only
after we've checked to make sure stuff->count is in the range of the
request we're parsing.

Reported-by: jes@posteo.de
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 11 insertions, 3 deletions

diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index 221ec530b..520b7cfb8 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -269,9 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client)
     int status, width, height, count;
     unsigned int *attachments;
 
-    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
-    if (stuff->count > (INT_MAX / 4))
+    REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
+    /* stuff->count is a count of CARD32 attachments that follows */
+    if (stuff->count > (INT_MAX / sizeof(CARD32)))
         return BadLength;
+    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * sizeof(CARD32));
 
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
@@ -297,7 +299,13 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client)
     int status, width, height, count;
     unsigned int *attachments;
 
-    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4));
+    REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
+    /* stuff->count is a count of pairs of CARD32s (attachments & formats)
+       that follows */
+    if (stuff->count > (INT_MAX / (2 * sizeof(CARD32))))
+        return BadLength;
+    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq,
+                       stuff->count * (2 * sizeof(CARD32)));
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
         return status;