andreacavalli/xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Xephyr: integer overflow in XF86DRIOpenConnection()

Browse Source 
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Alan Coopersmith 2013-04-15 08:39:03 -07:00
parent c37ceda76b
commit 20644e53b3
1 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hw/kdrive/ephyr/XF86dri.c
View File

@ -64,6 +64,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <GL/glx.h>
#include "xf86dri.h"
#include <X11/dri/xf86driproto.h>
#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@ -225,7 +226,11 @@ XF86DRIOpenConnection(Display * dpy, int screen,
}
if (rep.length) {
if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) {
if (rep.busIdStringLength < INT_MAX)
*busIdString = calloc(rep.busIdStringLength + 1, 1);
else
*busIdString = NULL;
if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();