andreacavalli
/
xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4] 

Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit e0e1164462)
Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Alan Coopersmith 2014-01-22 23:44:46 -08:00 committed by Julien Cristau
parent c2515e9dfd
commit 2883994f9f
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
include/dix.h
View File

@ -76,7 +76,8 @@ SOFTWARE.
#define REQUEST_FIXED_SIZE(req, n)\
if (((sizeof(req) >> 2) > client->req_len) || \
(((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
((n >> 2) >= client->req_len) || \
((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
return(BadLength)
#define LEGAL_NEW_RESOURCE(id,client)\