summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-22 23:44:46 -0800
committerJulien Cristau <jcristau@debian.org>2014-12-09 17:50:12 +0100
commit2883994f9f2d5cae63816db6945dfea618e4a2ee (patch)
treef2b2aa1d7210d556346faed1fc7ecf89c57c76d0
parentc2515e9dfd5642e90f2b2526db02afc4ad217a53 (diff)
dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]
Force use of 64-bit integers when evaluating data provided by clients in 32-bit fields which can overflow when added or multiplied during checks. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> (cherry picked from commit e0e11644622a589129a01e11e5d105dc74a098de) Signed-off-by: Julien Cristau <jcristau@debian.org>
Diffstat
-rw-r--r--include/dix.h3
1 files changed, 2 insertions, 1 deletions
diff --git a/include/dix.h b/include/dix.h
index f42e23655..9bbbba9c6 100644
--- a/include/dix.h
+++ b/include/dix.h
@@ -76,7 +76,8 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
- (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
+ ((n >> 2) >= client->req_len) || \
+ ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-21 21:50:15 +0000