summaryrefslogtreecommitdiff
path: root/Xext
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu.herrb@laas.fr>2008-06-10 12:20:43 -0600
committerMatthieu Herrb <matthieu@bluenote.herrb.net>2008-06-11 08:06:09 -0600
commit063f18ef6d7bf834225ddfd3527e58c078628f5f (patch)
tree85430080d7e068d005af24f87d7f7d11147b3a84 /Xext
parent95d162c4389857d960da9b0158345c1714e91f31 (diff)
CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space.
Diffstat (limited to 'Xext')
-rw-r--r--Xext/shm.c13
1 files changed, 11 insertions, 2 deletions
diff --git a/Xext/shm.c b/Xext/shm.c
index 80780bbbc..3f51b9c40 100644
--- a/Xext/shm.c
+++ b/Xext/shm.c
@@ -894,8 +894,17 @@ ProcShmPutImage(client)
return BadValue;
}
- VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
- client);
+ /*
+ * There's a potential integer overflow in this check:
+ * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+ * client);
+ * the version below ought to avoid it
+ */
+ if (stuff->totalHeight != 0 &&
+ length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+ client->errorValue = stuff->totalWidth;
+ return BadValue;
+ }
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;