Unvalidated lengths

v2: Add overflow check and remove unnecessary check (Julien Cristau) This addresses: CVE-2017-12184 in XINERAMA CVE-2017-12185 in MIT-SCREEN-SAVER CVE-2017-12186 in X-Resource CVE-2017-12187 in RENDER Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e)
author: Nathan Kidd <nkidd@opentext.com> 2015-01-09 09:57:23 -0500
committer: Adam Jackson <ajax@redhat.com> 2017-10-12 12:25:02 -0400
commit: c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 (patch)
tree: 897692571963c316a878fe68c0c922b4dcc7351b /render
parent: e751722a7b0c5b595794e60b054ade0b3f6cdb4d (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index bfacaa0d0..3a41e331e 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
     name = (char *) (stuff + 1);
     params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
     nparams = ((xFixed *) stuff + client->req_len) - params;
+    if (nparams < 0)
+	return BadLength;
+
     result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
     return result;
 }
author	Nathan Kidd <nkidd@opentext.com>	2015-01-09 09:57:23 -0500
committer	Adam Jackson <ajax@redhat.com>	2017-10-12 12:25:02 -0400
commit	c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 (patch)
tree	897692571963c316a878fe68c0c922b4dcc7351b /render
parent	e751722a7b0c5b595794e60b054ade0b3f6cdb4d (diff)