diff options
author | Matthieu Herrb <matthieu.herrb@laas.fr> | 2008-06-10 12:20:00 -0600 |
---|---|---|
committer | Jeremy Huddleston <jeremyhu@freedesktop.org> | 2008-06-11 11:33:36 -0700 |
commit | 2af571dbf176a1f77c2235d750356663f7e70282 (patch) | |
tree | db303d94a59230096c0faef2bcff840168832bfc | |
parent | 817b20030b073f9e92c77c0f6887d080c99ae6df (diff) |
CVE-2008-1377 - RECORD and Security extensions memory corruption
Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.
(cherry picked from commit 95d162c4389857d960da9b0158345c1714e91f31)
-rw-r--r-- | Xext/security.c | 10 | ||||
-rw-r--r-- | record/record.c | 16 |
2 files changed, 20 insertions, 6 deletions
diff --git a/Xext/security.c b/Xext/security.c index ac762794a..7e8a06e38 100644 --- a/Xext/security.c +++ b/Xext/security.c @@ -651,15 +651,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/record/record.c b/record/record.c index 0ed8f84c2..9a166d67b 100644 --- a/record/record.c +++ b/record/record.c @@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client) } /* SProcRecordQueryVersion */ -static void +static int SwapCreateRegister(xRecordRegisterClientsReq *stuff) { register char n; @@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff) swapl(&stuff->nClients, n); swapl(&stuff->nRanges, n); pClientID = (XID *)&stuff[1]; + if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2)) + return BadLength; for (i = 0; i < stuff->nClients; i++, pClientID++) { swapl(pClientID, n); } + if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2) + - stuff->nClients) + return BadLength; RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges); + return Success; } /* SwapCreateRegister */ @@ -2679,11 +2685,13 @@ static int SProcRecordCreateContext(ClientPtr client) { REQUEST(xRecordCreateContextReq); + int status; register char n; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq); - SwapCreateRegister((pointer)stuff); + if ((status = SwapCreateRegister((pointer)stuff)) != Success) + return status; return ProcRecordCreateContext(client); } /* SProcRecordCreateContext */ @@ -2692,11 +2700,13 @@ static int SProcRecordRegisterClients(ClientPtr client) { REQUEST(xRecordRegisterClientsReq); + int status; register char n; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq); - SwapCreateRegister((pointer)stuff); + if ((status = SwapCreateRegister((pointer)stuff)) != Success) + return status; return ProcRecordRegisterClients(client); } /* SProcRecordRegisterClients */ |