CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption

author: Matthieu Herrb <matthieu@roadrock.(none)> 2007-04-03 15:47:18 +0200
committer: Matthieu Herrb <matthieu@roadrock.(none)> 2007-04-03 15:47:18 +0200
commit: 645d87cf8ef724d4591614f9994cdc4d7549a7a8 (patch)
tree: 66b75c15dbe6de040d448f7b14ebc468067f0c75 /Xext
parent: f2808005f4ee72c5fd7f5f3dcca181306485113e (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
index f26218e97..8c7a86e6a 100644
--- a/Xext/xcmisc.c
+++ b/Xext/xcmisc.c
@@ -42,6 +42,12 @@ from The Open Group.
 #include <X11/extensions/xcmiscstr.h>
 #include "modinit.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 #if 0
 static unsigned char XCMiscCode;
 #endif
@@ -143,7 +149,10 @@ ProcXCMiscGetXIDList(client)
 
     REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
 
-    pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
+    if (stuff->count > UINT32_MAX / sizeof(XID))
+	    return BadAlloc;
+
+    pids = (XID *)Xalloc(stuff->count * sizeof(XID));
     if (!pids)
     {
 	return BadAlloc;
@@ -164,7 +173,7 @@ ProcXCMiscGetXIDList(client)
     	client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
 	WriteSwappedDataToClient(client, count * sizeof(XID), pids);
     }
-    DEALLOCATE_LOCAL(pids);
+    Xfree(pids);
     return(client->noClientException);
 }
author	Matthieu Herrb <matthieu@roadrock.(none)>	2007-04-03 15:47:18 +0200
committer	Matthieu Herrb <matthieu@roadrock.(none)>	2007-04-03 15:47:18 +0200
commit	645d87cf8ef724d4591614f9994cdc4d7549a7a8 (patch)
tree	66b75c15dbe6de040d448f7b14ebc468067f0c75 /Xext
parent	f2808005f4ee72c5fd7f5f3dcca181306485113e (diff)