dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo (CVE-2017-12177)

v2: Protect against integer overflow (Alan Coopersmith) Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 4ca68b878e)
2015-01-09 10:09:14 -05:00 · 2015-01-09 10:09:14 -05:00 · cc41e5b581
parent 6c15122163
commit cc41e5b581
1 changed files with 4 additions and 1 deletions
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
    XdbeScreenVisualInfo *pScrVisInfo;

    REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+    if (stuff->n > UINT32_MAX / sizeof(CARD32))
+        return BadLength;
+    REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));

    if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
        return BadAlloc;
@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)

    swapl(&stuff->n);
    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
-        return BadAlloc;
+        return BadLength;
    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));

    if (stuff->n != 0) {