diff options
author | Nathan Kidd <nkidd@opentext.com> | 2015-01-09 10:09:14 -0500 |
---|---|---|
committer | Julien Cristau <jcristau@debian.org> | 2017-10-10 23:33:44 +0200 |
commit | 4ca68b878e851e2136c234f40a25008297d8d831 (patch) | |
tree | ba9c7c5ffae7cb54be937c615426f7118566fea5 | |
parent | 859b08d523307eebde7724fd1a0789c44813e821 (diff) |
dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
-rw-r--r-- | dbe/dbe.c | 5 |
1 files changed, 4 insertions, 1 deletions
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client) XdbeScreenVisualInfo *pScrVisInfo; REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + if (stuff->n > UINT32_MAX / sizeof(CARD32)) + return BadLength; + REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32)); if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) return BadAlloc; @@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client) swapl(&stuff->n); if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) - return BadAlloc; + return BadLength; REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { |