diff options
author | Matthieu Herrb <matthieu@roadrock.(none)> | 2007-04-03 15:47:18 +0200 |
---|---|---|
committer | Keith Packard <keithp@neko.keithp.com> | 2007-04-05 23:32:56 -0700 |
commit | 44c4bd5df3aae191be9fc836be26f91497d02901 (patch) | |
tree | 43e142dc7b7a3aeb3e2728485e3e75f61a3569a2 | |
parent | 44ea7a3e0d8fa636f4e5dd392caf618120d98413 (diff) |
CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption
(cherry picked from commit 645d87cf8ef724d4591614f9994cdc4d7549a7a8)
-rw-r--r-- | Xext/xcmisc.c | 13 |
1 files changed, 11 insertions, 2 deletions
diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c index f26218e97..8c7a86e6a 100644 --- a/Xext/xcmisc.c +++ b/Xext/xcmisc.c @@ -42,6 +42,12 @@ from The Open Group. #include <X11/extensions/xcmiscstr.h> #include "modinit.h" +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif + #if 0 static unsigned char XCMiscCode; #endif @@ -143,7 +149,10 @@ ProcXCMiscGetXIDList(client) REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq); - pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID)); + if (stuff->count > UINT32_MAX / sizeof(XID)) + return BadAlloc; + + pids = (XID *)Xalloc(stuff->count * sizeof(XID)); if (!pids) { return BadAlloc; @@ -164,7 +173,7 @@ ProcXCMiscGetXIDList(client) client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write; WriteSwappedDataToClient(client, count * sizeof(XID), pids); } - DEALLOCATE_LOCAL(pids); + Xfree(pids); return(client->noClientException); } |