Xephyr: integer overflow in XF86DRIGetClientDriverName()
clientDriverNameLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
parent
20644e53b3
commit
1cb182cbdc
|
@ -328,9 +328,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
|
|||
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
|
||||
|
||||
if (rep.length) {
|
||||
if (!
|
||||
(*clientDriverName =
|
||||
(char *) calloc(rep.clientDriverNameLength + 1, 1))) {
|
||||
if (rep.clientDriverNameLength < INT_MAX)
|
||||
*clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
|
||||
else
|
||||
*clientDriverName = NULL;
|
||||
if (*clientDriverName == NULL) {
|
||||
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
|
||||
UnlockDisplay(dpy);
|
||||
SyncHandle();
|
||||
|
|
Loading…
Reference in New Issue
Block a user