Unvalidated lengths

v2: Add overflow check and remove unnecessary check (Julien Cristau) This addresses: CVE-2017-12184 in XINERAMA CVE-2017-12185 in MIT-SCREEN-SAVER CVE-2017-12186 in X-Resource CVE-2017-12187 in RENDER Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
author: Nathan Kidd <nkidd@opentext.com> 2015-01-09 09:57:23 -0500
committer: Adam Jackson <ajax@redhat.com> 2017-10-12 12:25:02 -0400
commit: c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 (patch)
tree: 897692571963c316a878fe68c0c922b4dcc7351b /hw
parent: e751722a7b0c5b595794e60b054ade0b3f6cdb4d (diff)
1 files changed, 2 insertions, 0 deletions
diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
index 1f1022ee6..63caec94e 100644
--- a/hw/dmx/dmxpict.c
+++ b/hw/dmx/dmxpict.c
@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
         filter = (char *) (stuff + 1);
         params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
         nparams = ((XFixed *) stuff + client->req_len) - params;
+        if (nparams < 0)
+            return BadLength;
 
         XRenderSetPictureFilter(dmxScreen->beDisplay,
                                 pPictPriv->pict, filter, params, nparams);
author	Nathan Kidd <nkidd@opentext.com>	2015-01-09 09:57:23 -0500
committer	Adam Jackson <ajax@redhat.com>	2017-10-12 12:25:02 -0400
commit	c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 (patch)
tree	897692571963c316a878fe68c0c922b4dcc7351b /hw
parent	e751722a7b0c5b595794e60b054ade0b3f6cdb4d (diff)