diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-22 21:11:16 -0800 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-05-30 21:59:45 -0400 |
commit | 8623faa422c3659903bdb5d19eb8947579e6141f (patch) | |
tree | a35f36c3fa585b109f5571794a47b3b96ee6447e | |
parent | c2298e0757106c03f2a9a95d5493102f33c3cfdb (diff) | |
download | nx-libs-8623faa422c3659903bdb5d19eb8947579e6141f.tar.gz nx-libs-8623faa422c3659903bdb5d19eb8947579e6141f.tar.bz2 nx-libs-8623faa422c3659903bdb5d19eb8947579e6141f.zip |
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dix/dispatch.c
-rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c index 3d9ee8c7f..e5bec8aba 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c @@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; - + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) return BadLength; |