CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space.
This commit is contained in:
parent
95d162c438
commit
063f18ef6d
13
Xext/shm.c
13
Xext/shm.c
|
@ -894,8 +894,17 @@ ProcShmPutImage(client)
|
||||||
return BadValue;
|
return BadValue;
|
||||||
}
|
}
|
||||||
|
|
||||||
VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
|
/*
|
||||||
client);
|
* There's a potential integer overflow in this check:
|
||||||
|
* VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
|
||||||
|
* client);
|
||||||
|
* the version below ought to avoid it
|
||||||
|
*/
|
||||||
|
if (stuff->totalHeight != 0 &&
|
||||||
|
length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
|
||||||
|
client->errorValue = stuff->totalWidth;
|
||||||
|
return BadValue;
|
||||||
|
}
|
||||||
if (stuff->srcX > stuff->totalWidth)
|
if (stuff->srcX > stuff->totalWidth)
|
||||||
{
|
{
|
||||||
client->errorValue = stuff->srcX;
|
client->errorValue = stuff->srcX;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user