dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
(cherry picked from commit 4ca68b878e
)
This commit is contained in:
parent
6c15122163
commit
cc41e5b581
|
@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
|
|||
XdbeScreenVisualInfo *pScrVisInfo;
|
||||
|
||||
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
|
||||
if (stuff->n > UINT32_MAX / sizeof(CARD32))
|
||||
return BadLength;
|
||||
REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
|
||||
|
||||
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
|
||||
return BadAlloc;
|
||||
|
@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
|
|||
|
||||
swapl(&stuff->n);
|
||||
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
|
||||
return BadAlloc;
|
||||
return BadLength;
|
||||
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
|
||||
|
||||
if (stuff->n != 0) {
|
||||
|
|
Loading…
Reference in New Issue