dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)

v2: Protect against integer overflow (Alan Coopersmith) Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 4ca68b878e851e2136c234f40a25008297d8d831)
author: Nathan Kidd <nkidd@opentext.com> 2015-01-09 10:09:14 -0500
committer: Adam Jackson <ajax@redhat.com> 2017-10-12 12:25:36 -0400
commit: cc41e5b581d287c56f8d7113a97a4882dcfdd696 (patch)
tree: 6fd3bea72b9647611970d49babbcf1bbc6467db7 /dbe
parent: 6c15122163a2d2615db7e998e8d436815a08dec6 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 23f7e164d..f31766f31 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
     XdbeScreenVisualInfo *pScrVisInfo;
 
     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+    if (stuff->n > UINT32_MAX / sizeof(CARD32))
+        return BadLength;
+    REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
 
     if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
         return BadAlloc;
@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
 
     swapl(&stuff->n);
     if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
-        return BadAlloc;
+        return BadLength;
     REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
 
     if (stuff->n != 0) {
author	Nathan Kidd <nkidd@opentext.com>	2015-01-09 10:09:14 -0500
committer	Adam Jackson <ajax@redhat.com>	2017-10-12 12:25:36 -0400
commit	cc41e5b581d287c56f8d7113a97a4882dcfdd696 (patch)
tree	6fd3bea72b9647611970d49babbcf1bbc6467db7 /dbe
parent	6c15122163a2d2615db7e998e8d436815a08dec6 (diff)