andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

CVE-2008-1379 - MIT-SHM arbitrary memory read

Browse Source 
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
This commit is contained in:
Matthieu Herrb 2008-06-10 12:20:43 -06:00 committed by Matthieu Herrb
parent 95d162c438
commit 063f18ef6d
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Xext/shm.c
View File

@ -894,8 +894,17 @@ ProcShmPutImage(client)
return BadValue;
}
VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
client);
/*
* There's a potential integer overflow in this check:
* VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
* client);
* the version below ought to avoid it
*/
if (stuff->totalHeight != 0 &&
length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
client->errorValue = stuff->totalWidth;
return BadValue;
}
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;