diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2014-01-22 22:37:15 -0800 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:32 +0100 |
commit | ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 (patch) | |
tree | 37604d6c64ea88fd97a25c78d49d6d0a50ce99a8 /nx-X11/programs/Xserver/include | |
parent | d4c76981f7fddb364166464c571ed8d3de3086cd (diff) | |
download | nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.tar.gz nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.tar.bz2 nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.zip |
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Conflicts:
dix/region.c
include/regionstr.h
Diffstat (limited to 'nx-X11/programs/Xserver/include')
-rw-r--r-- | nx-X11/programs/Xserver/include/regionstr.h | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/nx-X11/programs/Xserver/include/regionstr.h b/nx-X11/programs/Xserver/include/regionstr.h index 000bf3f41..cf41170a6 100644 --- a/nx-X11/programs/Xserver/include/regionstr.h +++ b/nx-X11/programs/Xserver/include/regionstr.h @@ -53,6 +53,9 @@ SOFTWARE. typedef struct _Region RegionRec, *RegionPtr; +#include <stddef.h> +#include <limits.h> + #include "miscstruct.h" /* Return values from RectIn() */ @@ -93,7 +96,7 @@ extern RegDataRec miBrokenData; #define REGION_BOX(reg,i) (®ION_BOXPTR(reg)[i]) #define REGION_TOP(reg) REGION_BOX(reg, (reg)->data->numRects) #define REGION_END(reg) REGION_BOX(reg, (reg)->data->numRects - 1) -#define REGION_SZOF(n) (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))) +#define REGION_SZOF(n) (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)) ? sizeof(RegDataRec) + ((n) * sizeof(BoxRec)) : 0) /* Keith recommends weaning the region code of pScreen argument */ #define REG_pScreen screenInfo.screens[0] @@ -257,9 +260,10 @@ extern RegDataRec miBrokenData; } \ else \ { \ + size_t rgnSize; \ (_pReg)->extents = miEmptyBox; \ - if (((_size) > 1) && ((_pReg)->data = \ - (RegDataPtr)xalloc(REGION_SZOF(_size)))) \ + if (((_size) > 1) && ((rgnSize = REGION_SZOF(_size)) > 0) && \ + ((_pReg)->data = (RegDataPtr)xalloc(rgnSize))) \ { \ (_pReg)->data->size = (_size); \ (_pReg)->data->numRects = 0; \ |