summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-22 21:11:16 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2014-12-08 18:09:46 -0800
commiteeae42d60bf3d5663ea088581f6c28a82cd17829 (patch)
tree8ea21c65aa6ee2a0d9acb6e31f04435a3867c467
parent90cc925c5991fcb203f72d00b04419cd754a9b2c (diff)
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r--dix/dispatch.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/dix/dispatch.c b/dix/dispatch.c
index d844a0942..55b978dea 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
tmpImage = (char *) &stuff[1];
lengthProto = length;
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if ((bytes_to_int32(lengthProto * stuff->height) +
bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
return BadLength;