Fix for CVE-2007-6427 - Xinput extension memory corruption.

author: Matthieu Herrb <matthieu@bluenote.herrb.com> 2008-01-17 15:27:34 +0100
committer: Matthieu Herrb <matthieu@bluenote.herrb.com> 2008-01-17 15:27:34 +0100
commit: dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 (patch)
tree: a7a83cc3bc0c643201cf9b51e7debc4081cef020 /Xi/sendexev.c
parent: bbde5b62a137ba726a747b838d81e92d72c1b42b (diff)
1 files changed, 8 insertions, 6 deletions
diff --git a/Xi/sendexev.c b/Xi/sendexev.c
index e4e38d790..588c91023 100644
--- a/Xi/sendexev.c
+++ b/Xi/sendexev.c
@@ -80,7 +80,7 @@ int
 SProcXSendExtensionEvent(ClientPtr client)
 {
     char n;
-    long *p;
+    CARD32 *p;
     int i;
     xEvent eventT;
     xEvent *eventP;
@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
     REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
     swapl(&stuff->destination, n);
     swaps(&stuff->count, n);
+
+    if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
+       (stuff->num_events * (sizeof(xEvent) >> 2)))
+       return BadLength;
+
     eventP = (xEvent *) & stuff[1];
     for (i = 0; i < stuff->num_events; i++, eventP++) {
 	proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
 	*eventP = eventT;
     }
 
-    p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
-    for (i = 0; i < stuff->count; i++) {
-	swapl(p, n);
-	p++;
-    }
+    p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
+    SwapLongs(p, stuff->count);
     return (ProcXSendExtensionEvent(client));
 }
author	Matthieu Herrb <matthieu@bluenote.herrb.com>	2008-01-17 15:27:34 +0100
committer	Matthieu Herrb <matthieu@bluenote.herrb.com>	2008-01-17 15:27:34 +0100
commit	dd5e0f5cd5f3a87fee86d99c073ffa7cf89b0a27 (patch)
tree	a7a83cc3bc0c643201cf9b51e7debc4081cef020 /Xi/sendexev.c
parent	bbde5b62a137ba726a747b838d81e92d72c1b42b (diff)