summaryrefslogtreecommitdiff
path: root/Xi
diff options
context:
space:
mode:
authorMichal Srb <msrb@suse.com>2017-07-07 17:21:46 +0200
committerPeter Hutterer <peter.hutterer@who-t.net>2017-07-11 12:34:19 +1000
commit211e05ac85a294ef361b9f80d689047fa52b9076 (patch)
tree14f681ac4a8eaf8de1e830824d3b6318398693cf /Xi
parentabb031e731f5c159add1b3351de9c4bb121bf00a (diff)
Xi: Test exact size of XIBarrierReleasePointer
Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Diffstat (limited to 'Xi')
-rw-r--r--Xi/xibarriers.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index af1562ed2..d82ecb6a5 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST(xXIBarrierReleasePointerReq);
int i;
- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
-
swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+
swapl(&stuff->num_barriers);
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid);
swapl(&info->barrier);
@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-02-07 20:19:04 +0000