Fix for CVE-2007-6427 - Xinput extension memory corruption.

author: Matthieu Herrb <matthieu@bluenote.herrb.com> 2008-01-17 15:27:34 +0100
committer: Matthieu Herrb <matthieu@bluenote.herrb.com> 2008-01-17 15:27:34 +0100
commit: dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 (patch)
tree: a7a83cc3bc0c643201cf9b51e7debc4081cef020 /Xi/grabdev.c
parent: bbde5b62a137ba726a747b838d81e92d72c1b42b (diff)
1 files changed, 5 insertions, 7 deletions
diff --git a/Xi/grabdev.c b/Xi/grabdev.c
index 110fc6b5f..0671e0ea7 100644
--- a/Xi/grabdev.c
+++ b/Xi/grabdev.c
@@ -78,8 +78,6 @@ int
 SProcXGrabDevice(ClientPtr client)
 {
     char n;
-    long *p;
-    int i;
 
     REQUEST(xGrabDeviceReq);
     swaps(&stuff->length, n);
@@ -87,11 +85,11 @@ SProcXGrabDevice(ClientPtr client)
     swapl(&stuff->grabWindow, n);
     swapl(&stuff->time, n);
     swaps(&stuff->event_count, n);
-    p = (long *)&stuff[1];
-    for (i = 0; i < stuff->event_count; i++) {
-	swapl(p, n);
-	p++;
-    }
+
+    if (stuff->length != (sizeof(xGrabDeviceReq) >> 2) + stuff->event_count)
+       return BadLength;
+    
+    SwapLongs((CARD32 *) (&stuff[1]), stuff->event_count);
 
     return (ProcXGrabDevice(client));
 }
author	Matthieu Herrb <matthieu@bluenote.herrb.com>	2008-01-17 15:27:34 +0100
committer	Matthieu Herrb <matthieu@bluenote.herrb.com>	2008-01-17 15:27:34 +0100
commit	dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 (patch)
tree	a7a83cc3bc0c643201cf9b51e7debc4081cef020 /Xi/grabdev.c
parent	bbde5b62a137ba726a747b838d81e92d72c1b42b (diff)