blob: 346756033e3bc41c454380ecc832f29670dc0ab8 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From d088e3c1286b548a58e62afdc70bb40981cdb9e8 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 10:04:41 -0500
Subject: Xi: integer overflow and unvalidated length in
(S)ProcXIBarrierReleasePointer
[jcristau: originally this patch fixed the same issue as commit
211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
addition of these checks]
This addresses CVE-2017-12179
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index d82ecb6..d0be701 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+ return BadLength;
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
--
cgit v0.10.2
|