dri2: better checks for integer overflow in GetBuffers*
Check for integer overflow before using stuff->count in a multiplication,
to avoid compiler optimizing out due to undefined behaviour, but only
after we've checked to make sure stuff->count is in the range of the
request we're parsing.
Reported-by: jes@posteo.de
Reviewed-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 6ca496b7c3
)
This commit is contained in:
parent
616239c15d
commit
62e2aa02ef
|
@ -269,9 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client)
|
|||
int status, width, height, count;
|
||||
unsigned int *attachments;
|
||||
|
||||
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
|
||||
if (stuff->count > (INT_MAX / 4))
|
||||
REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
|
||||
/* stuff->count is a count of CARD32 attachments that follows */
|
||||
if (stuff->count > (INT_MAX / sizeof(CARD32)))
|
||||
return BadLength;
|
||||
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * sizeof(CARD32));
|
||||
|
||||
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
|
||||
&pDrawable, &status))
|
||||
|
@ -297,7 +299,13 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client)
|
|||
int status, width, height, count;
|
||||
unsigned int *attachments;
|
||||
|
||||
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4));
|
||||
REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
|
||||
/* stuff->count is a count of pairs of CARD32s (attachments & formats)
|
||||
that follows */
|
||||
if (stuff->count > (INT_MAX / (2 * sizeof(CARD32))))
|
||||
return BadLength;
|
||||
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq,
|
||||
stuff->count * (2 * sizeof(CARD32)));
|
||||
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
|
||||
&pDrawable, &status))
|
||||
return status;
|
||||
|
|
Loading…
Reference in New Issue