aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver/include
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-22 22:37:15 -0800
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:32 +0100
commited1e13a1f4e316bcf0dc0d4b2c16b1df3f075005 (patch)
tree37604d6c64ea88fd97a25c78d49d6d0a50ce99a8 /nx-X11/programs/Xserver/include
parentd4c76981f7fddb364166464c571ed8d3de3086cd (diff)
downloadnx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.tar.gz
nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.tar.bz2
nx-libs-ed1e13a1f4e316bcf0dc0d4b2c16b1df3f075005.zip
dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]
RegionSizeof contains several integer overflows if a large length value is passed in. Once we fix it to return 0 on overflow, we also have to fix the callers to handle this error condition v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> Conflicts: dix/region.c include/regionstr.h
Diffstat (limited to 'nx-X11/programs/Xserver/include')
-rw-r--r--nx-X11/programs/Xserver/include/regionstr.h10
1 files changed, 7 insertions, 3 deletions
diff --git a/nx-X11/programs/Xserver/include/regionstr.h b/nx-X11/programs/Xserver/include/regionstr.h
index 000bf3f41..cf41170a6 100644
--- a/nx-X11/programs/Xserver/include/regionstr.h
+++ b/nx-X11/programs/Xserver/include/regionstr.h
@@ -53,6 +53,9 @@ SOFTWARE.
typedef struct _Region RegionRec, *RegionPtr;
+#include <stddef.h>
+#include <limits.h>
+
#include "miscstruct.h"
/* Return values from RectIn() */
@@ -93,7 +96,7 @@ extern RegDataRec miBrokenData;
#define REGION_BOX(reg,i) (&REGION_BOXPTR(reg)[i])
#define REGION_TOP(reg) REGION_BOX(reg, (reg)->data->numRects)
#define REGION_END(reg) REGION_BOX(reg, (reg)->data->numRects - 1)
-#define REGION_SZOF(n) (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)))
+#define REGION_SZOF(n) (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)) ? sizeof(RegDataRec) + ((n) * sizeof(BoxRec)) : 0)
/* Keith recommends weaning the region code of pScreen argument */
#define REG_pScreen screenInfo.screens[0]
@@ -257,9 +260,10 @@ extern RegDataRec miBrokenData;
} \
else \
{ \
+ size_t rgnSize; \
(_pReg)->extents = miEmptyBox; \
- if (((_size) > 1) && ((_pReg)->data = \
- (RegDataPtr)xalloc(REGION_SZOF(_size)))) \
+ if (((_size) > 1) && ((rgnSize = REGION_SZOF(_size)) > 0) && \
+ ((_pReg)->data = (RegDataPtr)xalloc(rgnSize))) \
{ \
(_pReg)->data->size = (_size); \
(_pReg)->data->numRects = 0; \