Xdmx: integer overflow in GetGLXVisualConfigs()
numVisuals & numProps are both CARD32 and need to be bounds checked before multiplying by structure sizes to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
parent
74469895e3
commit
c89bcd12f4
|
@ -37,6 +37,7 @@
|
|||
#include <GL/glxproto.h>
|
||||
#include <X11/extensions/Xext.h>
|
||||
#include <X11/extensions/extutil.h>
|
||||
#include <limits.h>
|
||||
|
||||
#include "dmx_glxvisuals.h"
|
||||
|
||||
|
@ -84,7 +85,10 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs)
|
|||
SyncHandle();
|
||||
return NULL;
|
||||
}
|
||||
props = (INT32 *) Xmalloc(nprops * __GLX_SIZE_CARD32);
|
||||
if (nprops < (INT_MAX / __GLX_SIZE_CARD32))
|
||||
props = Xmalloc(nprops * __GLX_SIZE_CARD32);
|
||||
else
|
||||
props = NULL;
|
||||
if (!props) {
|
||||
UnlockDisplay(dpy);
|
||||
SyncHandle();
|
||||
|
@ -92,15 +96,16 @@ GetGLXVisualConfigs(Display * dpy, int screen, int *nconfigs)
|
|||
}
|
||||
|
||||
/* Allocate memory for our config structure */
|
||||
config = (__GLXvisualConfig *)
|
||||
Xmalloc(nvisuals * sizeof(__GLXvisualConfig));
|
||||
if (nvisuals < (INT_MAX / sizeof(__GLXvisualConfig)))
|
||||
config = Xcalloc(nvisuals, sizeof(__GLXvisualConfig));
|
||||
else
|
||||
config = NULL;
|
||||
if (!config) {
|
||||
free(props);
|
||||
UnlockDisplay(dpy);
|
||||
SyncHandle();
|
||||
return NULL;
|
||||
}
|
||||
memset(config, 0, nvisuals * sizeof(__GLXvisualConfig));
|
||||
configs = config;
|
||||
num_good_visuals = 0;
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user