record: Fix OOB access in ProcRecordUnregisterClients
If a client sends a RecordUnregisterClients request with an nClients field larger than INT_MAX / 4, an integer overflow leads to an out of boundary access in RecordSanityCheckClientSpecifiers. An example line with libXtst would be: XRecordUnregisterClients(dpy, rc, clients, 0x40000001); Reviewed-by: Adam Jackson <ajax@redhat.com>
This commit is contained in:
parent
1ad2306823
commit
40c12a76c2
|
@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
|
|||
int i;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
|
||||
if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
|
||||
if (INT_MAX / 4 < stuff->nClients ||
|
||||
(client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
|
||||
4 * stuff->nClients)
|
||||
return BadLength;
|
||||
VERIFY_CONTEXT(pContext, stuff->context, client);
|
||||
|
|
Loading…
Reference in New Issue