aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/programs/Xserver
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2014-01-22 21:11:16 -0800
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:31 +0100
commitc1225fe6451d7a5f3741ce0fff8f54e38e0a14da (patch)
tree17d97e36bcb0c57b66d9c9a6a75bfe036b818793 /nx-X11/programs/Xserver
parent37e7fb1f64b29ef06ec4d69ab0b7afa99c613383 (diff)
downloadnx-libs-c1225fe6451d7a5f3741ce0fff8f54e38e0a14da.tar.gz
nx-libs-c1225fe6451d7a5f3741ce0fff8f54e38e0a14da.tar.bz2
nx-libs-c1225fe6451d7a5f3741ce0fff8f54e38e0a14da.zip
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c
Diffstat (limited to 'nx-X11/programs/Xserver')
-rw-r--r--nx-X11/programs/Xserver/dix/dispatch.c4
1 files changed, 3 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
index 6941456de..5ad2f5af2 100644
--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
-
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
(sizeof(xPutImageReq) >> 2)) != client->req_len)
return BadLength;