dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this changed the type of the parameter passed to the DDX SwapBuffers API, but there wasn't a matching change in the API definition. At this point, with the API frozen, I just stuck a new variable in with the correct type. Because we've already bounds-checked nStuff to be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will fit in a signed int without overflow. Signed-off-by: Keith Packard <keithp@keithp.com Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
parent
7e7630bbb7
commit
b20912c3d4
|
@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||||
int error;
|
int error;
|
||||||
unsigned int i, j;
|
unsigned int i, j;
|
||||||
unsigned int nStuff;
|
unsigned int nStuff;
|
||||||
|
int nStuff_i; /* DDX API requires int for nStuff */
|
||||||
|
|
||||||
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
|
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
|
||||||
nStuff = stuff->n; /* use local variable for performance. */
|
nStuff = stuff->n; /* use local variable for performance. */
|
||||||
|
@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
|
||||||
* could deal with cross-screen synchronization.
|
* could deal with cross-screen synchronization.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
while (nStuff > 0) {
|
nStuff_i = nStuff;
|
||||||
|
while (nStuff_i > 0) {
|
||||||
pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
|
pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
|
||||||
error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
|
error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
|
||||||
if (error != Success) {
|
if (error != Success) {
|
||||||
free(swapInfo);
|
free(swapInfo);
|
||||||
return error;
|
return error;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user