Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85
"Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
parent
1b1d4c0469
commit
d088e3c128
|
@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
|
|||
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
|
||||
|
||||
swapl(&stuff->num_barriers);
|
||||
if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
|
||||
return BadLength;
|
||||
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
|
||||
|
||||
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
|
||||
|
@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
|
|||
xXIBarrierReleasePointerInfo *info;
|
||||
|
||||
REQUEST(xXIBarrierReleasePointerReq);
|
||||
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
|
||||
if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
|
||||
return BadLength;
|
||||
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
|
||||
|
||||
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
|
||||
|
|
Loading…
Reference in New Issue