CVE-2008-1379 - MIT-SHM arbitrary memory read
An integer overflow in the validation of the parameters of the ShmPutImage() request makes it possible to trigger the copy of arbitrary server memory to a pixmap that can subsequently be read by the client, to read arbitrary parts of the X server memory space.
This commit is contained in:
parent
95d162c438
commit
063f18ef6d
13
Xext/shm.c
13
Xext/shm.c
|
@ -894,8 +894,17 @@ ProcShmPutImage(client)
|
|||
return BadValue;
|
||||
}
|
||||
|
||||
VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
|
||||
client);
|
||||
/*
|
||||
* There's a potential integer overflow in this check:
|
||||
* VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
|
||||
* client);
|
||||
* the version below ought to avoid it
|
||||
*/
|
||||
if (stuff->totalHeight != 0 &&
|
||||
length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
|
||||
client->errorValue = stuff->totalWidth;
|
||||
return BadValue;
|
||||
}
|
||||
if (stuff->srcX > stuff->totalWidth)
|
||||
{
|
||||
client->errorValue = stuff->srcX;
|
||||
|
|
Loading…
Reference in New Issue
Block a user