aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver/dbe/dbe.c
diff options
context:
space:
mode:
authorKeith Packard <keithp@keithp.com>2014-12-09 09:30:57 -0800
committerUlrich Sibiller <u.sibiller@science-computing.de>2016-10-20 10:16:35 +0200
commite3e4062c35a5a337ca2edfddb0bf68b8b192fefb (patch)
tree30ecfea8fc2153e4dc39211f87fc7c7d4ca38d74 /nx-X11/programs/Xserver/dbe/dbe.c
parent01eaab8314a7b4a0cc5d5a10d9a0e87fc1709d72 (diff)
downloadnx-libs-e3e4062c35a5a337ca2edfddb0bf68b8b192fefb.tar.gz
nx-libs-e3e4062c35a5a337ca2edfddb0bf68b8b192fefb.tar.bz2
nx-libs-e3e4062c35a5a337ca2edfddb0bf68b8b192fefb.zip
dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2]
When the local types used to walk the DBE request were changed, this changed the type of the parameter passed to the DDX SwapBuffers API, but there wasn't a matching change in the API definition. At this point, with the API frozen, I just stuck a new variable in with the correct type. Because we've already bounds-checked nStuff to be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will fit in a signed int without overflow. Signed-off-by: Keith Packard <keithp@keithp.com Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11/programs/Xserver/dbe/dbe.c')
-rw-r--r--nx-X11/programs/Xserver/dbe/dbe.c7
1 files changed, 4 insertions, 3 deletions
diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c
index 276919e34..58301e158 100644
--- a/nx-X11/programs/Xserver/dbe/dbe.c
+++ b/nx-X11/programs/Xserver/dbe/dbe.c
@@ -721,7 +721,7 @@ ProcDbeSwapBuffers(client)
int error;
unsigned int i, j;
unsigned int nStuff;
-
+ int nStuff_i; /* DDX API requires int for nStuff */
REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
nStuff = stuff->n; /* use local variable for performance. */
@@ -806,10 +806,11 @@ ProcDbeSwapBuffers(client)
* could deal with cross-screen synchronization.
*/
- while (nStuff > 0)
+ nStuff_i = nStuff;
+ while (nStuff_i > 0)
{
pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
- error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo);
+ error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff_i, swapInfo);
if (error != Success)
{
free(swapInfo);