andreacavalli
/
xserver-multidpi
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

render: Fix out of boundary heap access 

ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.

This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.

Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit ac15d4cecc)
This commit is contained in:
Tobias Stoeckmann 2017-03-13 19:13:14 +01:00 committed by Adam Jackson
parent fbb46e0be8
commit 7c4fab2f1f
1 changed files with 4 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
render/render.c
View File

@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;