CVE-2008-1377 - RECORD and Security extensions memory corruption

Lack of validation of the parameters of the
SProcSecurityGenerateAuthorization SProcRecordCreateContext
functions makes it possible for a specially crafted request to trigger
the swapping of bytes outside the parameter of these requests, causing
memory corruption.

2 files changed, 20 insertions, 6 deletions

diff --git a/Xext/security.c b/Xext/security.c
index f28b10dee..bd92600f6 100644
--- a/Xext/security.c
+++ b/Xext/security.c
@@ -676,15 +676,19 @@ SProcSecurityGenerateAuthorization(
     char	n;
     CARD32 *values;
     unsigned long nvalues;
+    int values_offset;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq);
     swaps(&stuff->nbytesAuthProto, n);
     swaps(&stuff->nbytesAuthData, n);
     swapl(&stuff->valueMask, n);
-    values = (CARD32 *)(&stuff[1]) +
-	((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
-	((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) +
+		    ((stuff->nbytesAuthData + (unsigned)3) >> 2);
+    if (values_offset > 
+	stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2))
+	return BadLength;
+    values = (CARD32 *)(&stuff[1]) + values_offset;
     nvalues = (((CARD32 *)stuff) + stuff->length) - values;
     SwapLongs(values, nvalues);
     return ProcSecurityGenerateAuthorization(client);
diff --git a/record/record.c b/record/record.c
index ec06ca93c..d7314b1b1 100644
--- a/record/record.c
+++ b/record/record.c
@@ -2658,7 +2658,7 @@ SProcRecordQueryVersion(ClientPtr client)
 } /* SProcRecordQueryVersion */
 
 
-static void
+static int
 SwapCreateRegister(xRecordRegisterClientsReq *stuff)
 {
     register char n;
@@ -2669,11 +2669,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
     swapl(&stuff->nClients, n);
     swapl(&stuff->nRanges, n);
     pClientID = (XID *)&stuff[1];
+    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+	return BadLength;
     for (i = 0; i < stuff->nClients; i++, pClientID++)
     {
 	swapl(pClientID, n);
     }
+    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+	- stuff->nClients)
+	return BadLength;
     RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+    return Success;
 } /* SwapCreateRegister */
 
 
@@ -2681,11 +2687,13 @@ static int
 SProcRecordCreateContext(ClientPtr client)
 {
     REQUEST(xRecordCreateContextReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordCreateContext(client);
 } /* SProcRecordCreateContext */
 
@@ -2694,11 +2702,13 @@ static int
 SProcRecordRegisterClients(ClientPtr client)
 {
     REQUEST(xRecordRegisterClientsReq);
+    int			status;
     register char 	n;
 
     swaps(&stuff->length, n);
     REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
     return ProcRecordRegisterClients(client);
 } /* SProcRecordRegisterClients */