record: Fix OOB access in ProcRecordUnregisterClients

If a client sends a RecordUnregisterClients request with an nClients field larger than INT_MAX / 4, an integer overflow leads to an out of boundary access in RecordSanityCheckClientSpecifiers. An example line with libXtst would be: XRecordUnregisterClients(dpy, rc, clients, 0x40000001); Reviewed-by: Adam Jackson <ajax@redhat.com>
2017-03-19 17:55:07 +01:00 · 2017-03-19 17:55:07 +01:00 · 40c12a76c2
parent 1ad2306823
commit 40c12a76c2
1 changed files with 2 additions and 1 deletions
--- a/record/record.c
+++ b/record/record.c
@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
    int i;

    REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
-    if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
+    if (INT_MAX / 4 < stuff->nClients ||
+        (client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
        4 * stuff->nClients)
        return BadLength;
    VERIFY_CONTEXT(pContext, stuff->context, client);