diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-22 23:12:04 -0800 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
| commit | 985ca320f841bd9a3efc484f92436b3d65ec1b31 (patch) | |
| tree | 64ec53aa1272c0888b3b19f3efaae8e4471bd3f0 | |
| parent | 82d7279ebfa04f319e68145b3adbf65716e59584 (diff) | |
| download | nx-libs-985ca320f841bd9a3efc484f92436b3d65ec1b31.tar.gz nx-libs-985ca320f841bd9a3efc484f92436b3d65ec1b31.tar.bz2 nx-libs-985ca320f841bd9a3efc484f92436b3d65ec1b31.zip | |
dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dbe/dbe.c
| -rw-r--r-- | nx-X11/programs/Xserver/dbe/dbe.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c index c0d6131b7..5a1e9b00b 100644 --- a/nx-X11/programs/Xserver/dbe/dbe.c +++ b/nx-X11/programs/Xserver/dbe/dbe.c @@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client) DbeSwapInfoPtr swapInfo; xDbeSwapInfo *dbeSwapInfo; int error; - register int i, j; - int nStuff; + unsigned int i, j; + unsigned int nStuff; REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); @@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client) if (nStuff == 0) { + REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); return(Success); } if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); /* Get to the swap info appended to the end of the request. */ dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; @@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client) ClientPtr client; { REQUEST(xDbeSwapBuffersReq); - register int i, n; + unsigned int i, n; xDbeSwapInfo *pSwapInfo; @@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client) REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); swapl(&stuff->n, n); + if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; + REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); if (stuff->n != 0) { |