andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Xephyr: integer overflow in XF86DRIGetClientDriverName()

Browse Source 
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Alan Coopersmith 2013-04-15 08:41:14 -07:00
parent 20644e53b3
commit 1cb182cbdc
1 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
hw/kdrive/ephyr/XF86dri.c
View File

@ -328,9 +328,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
if (!
(*clientDriverName =
(char *) calloc(rep.clientDriverNameLength + 1, 1))) {
if (rep.clientDriverNameLength < INT_MAX)
*clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
else
*clientDriverName = NULL;
if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();