diff options
author | Keith Packard <keithp@keithp.com> | 2014-12-09 09:30:57 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-12-09 11:26:58 -0800 |
commit | b20912c3d45cbbde3c443e6c3d9e189092fe65e1 (patch) | |
tree | 8e7e019f288872a0655f1da0ab31a7b6d5cb4608 | |
parent | 7e7630bbb775573eea2a2335adb9d190c3e1e971 (diff) |
dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this
changed the type of the parameter passed to the DDX SwapBuffers API,
but there wasn't a matching change in the API definition.
At this point, with the API frozen, I just stuck a new variable in
with the correct type. Because we've already bounds-checked nStuff to
be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
fit in a signed int without overflow.
Signed-off-by: Keith Packard <keithp@keithp.com
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | dbe/dbe.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client) int error; unsigned int i, j; unsigned int nStuff; + int nStuff_i; /* DDX API requires int for nStuff */ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); nStuff = stuff->n; /* use local variable for performance. */ @@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) * could deal with cross-screen synchronization. */ - while (nStuff > 0) { + nStuff_i = nStuff; + while (nStuff_i > 0) { pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); - error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); + error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); if (error != Success) { free(swapInfo); return error; |