From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001 From: Nathan Kidd Date: Fri, 9 Jan 2015 10:09:14 -0500 Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177) v2: Protect against integer overflow (Alan Coopersmith) Reviewed-by: Alan Coopersmith Reviewed-by: Jeremy Huddleston Sequoia Reviewed-by: Julien Cristau Signed-off-by: Nathan Kidd Signed-off-by: Julien Cristau --- dbe/dbe.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/dbe/dbe.c b/dbe/dbe.c index 9a0c7a701..292a22366 100644 --- a/dbe/dbe.c +++ b/dbe/dbe.c @@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client) XdbeScreenVisualInfo *pScrVisInfo; REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + if (stuff->n > UINT32_MAX / sizeof(CARD32)) + return BadLength; + REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32)); if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) return BadAlloc; @@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client) swapl(&stuff->n); if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) - return BadAlloc; + return BadLength; REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { -- cgit v1.2.3