blob: 4a3eaa9e9c3dca3c59df6baa2cd000577c4d7ef3 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 10:09:14 -0500
Subject: dbe: Unvalidated variable-length request in ProcDbeGetVisualInfo
(CVE-2017-12177)
v2: Protect against integer overflow (Alan Coopersmith)
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/dbe/dbe.c b/dbe/dbe.c
index 9a0c7a7..292a223 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
XdbeScreenVisualInfo *pScrVisInfo;
REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+ if (stuff->n > UINT32_MAX / sizeof(CARD32))
+ return BadLength;
+ REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
return BadAlloc;
@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
swapl(&stuff->n);
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
- return BadAlloc;
+ return BadLength;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
--
cgit v0.10.2
|