diff options
| author | Matthieu Herrb <matthieu@blues.laas.fr> | 2007-01-09 14:14:19 +0100 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@blues.laas.fr> | 2007-01-09 14:14:19 +0100 |
| commit | e3aa6ad201eb20862c11c000e76206e317a96dc9 (patch) | |
| tree | 9f1f4226c44f90e299ab6201cec1874c09c4d8ad /dbe | |
| parent | 359d20532bdcef6a540a551578d000afbb609c2d (diff) | |
Multiple integer overflows in dbe and render extensions
CVE IDs: CVE-2006-6101 CVE-2006-6102 CVE-2006-6103
Diffstat (limited to 'dbe')
| -rw-r--r-- | dbe/dbe.c | 34 |
1 files changed, 22 insertions, 12 deletions
@@ -39,6 +39,11 @@ #endif #include <string.h> +#if HAVE_STDINT_H +#include <stdint.h> +#elif !defined(UINT32_MAX) +#define UINT32_MAX 0xffffffffU +#endif #include <X11/X.h> #include <X11/Xproto.h> @@ -711,11 +716,14 @@ ProcDbeSwapBuffers(ClientPtr client) return(Success); } + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; /* Allocate array to record swap information. */ - swapInfo = (DbeSwapInfoPtr)ALLOCATE_LOCAL(nStuff * sizeof(DbeSwapInfoRec)); + swapInfo = (DbeSwapInfoPtr)Xalloc(nStuff * sizeof(DbeSwapInfoRec)); if (swapInfo == NULL) { return(BadAlloc); @@ -730,14 +738,14 @@ ProcDbeSwapBuffers(ClientPtr client) error = dixLookupWindow(&pWin, dbeSwapInfo[i].window, client, DixWriteAccess); if (error != Success) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return error; } /* Each window must be double-buffered - BadMatch. */ if (DBE_WINDOW_PRIV(pWin) == NULL) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadMatch); } @@ -746,7 +754,7 @@ ProcDbeSwapBuffers(ClientPtr client) { if (dbeSwapInfo[i].window == dbeSwapInfo[j].window) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadMatch); } } @@ -757,7 +765,7 @@ ProcDbeSwapBuffers(ClientPtr client) (dbeSwapInfo[i].swapAction != XdbeUntouched ) && (dbeSwapInfo[i].swapAction != XdbeCopied )) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(BadValue); } @@ -787,12 +795,12 @@ ProcDbeSwapBuffers(ClientPtr client) error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); if (error != Success) { - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(error); } } - DEALLOCATE_LOCAL(swapInfo); + Xfree(swapInfo); return(Success); } /* ProcDbeSwapBuffers() */ @@ -874,10 +882,12 @@ ProcDbeGetVisualInfo(ClientPtr client) REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq); + if (stuff->n > UINT32_MAX / sizeof(DrawablePtr)) + return BadAlloc; /* Make sure any specified drawables are valid. */ if (stuff->n != 0) { - if (!(pDrawables = (DrawablePtr *)ALLOCATE_LOCAL(stuff->n * + if (!(pDrawables = (DrawablePtr *)Xalloc(stuff->n * sizeof(DrawablePtr)))) { return(BadAlloc); @@ -890,7 +900,7 @@ ProcDbeGetVisualInfo(ClientPtr client) rc = dixLookupDrawable(pDrawables+i, drawables[i], client, 0, DixReadAccess); if (rc != Success) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); return rc; } } @@ -902,7 +912,7 @@ ProcDbeGetVisualInfo(ClientPtr client) { if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(BadAlloc); @@ -929,7 +939,7 @@ ProcDbeGetVisualInfo(ClientPtr client) /* Free pDrawables if we needed to allocate it above. */ if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(BadAlloc); @@ -1010,7 +1020,7 @@ ProcDbeGetVisualInfo(ClientPtr client) if (pDrawables) { - DEALLOCATE_LOCAL(pDrawables); + Xfree(pDrawables); } return(client->noClientException); |