diff options
author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-05-31 16:50:39 +0200 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-05-31 16:50:39 +0200 |
commit | 11b26436b477b51a1b07e333d2223169f7987d49 (patch) | |
tree | 2cb2bdf1ab43845f0c6c3f8fbb8e916e4e76dbf5 /nx-X11 | |
parent | 4ed85e8ef572130d7862b155d3ee9c1e52743230 (diff) | |
parent | 2db01a9a28c4d1aa5483fe7004e1cf2c50e5f1ee (diff) | |
download | nx-libs-11b26436b477b51a1b07e333d2223169f7987d49.tar.gz nx-libs-11b26436b477b51a1b07e333d2223169f7987d49.tar.bz2 nx-libs-11b26436b477b51a1b07e333d2223169f7987d49.zip |
Merge pull request #45 from ArcticaProject/pr/dix-cve-fixes
DIX CVE fixes in nx-X11/programs/Xserver/hw/nxagent/ rather than nx-X11/programs/Xserver/dix/.
Diffstat (limited to 'nx-X11')
-rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 4 | ||||
-rw-r--r-- | nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c | 5 |
2 files changed, 8 insertions, 1 deletions
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c index 3d9ee8c7f..0ed7277a1 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c @@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client) tmpImage = (char *)&stuff[1]; lengthProto = length; - + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + (sizeof(xPutImageReq) >> 2)) != client->req_len) return BadLength; diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c index 922443633..5622f8cee 100644 --- a/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c +++ b/nx-X11/programs/Xserver/hw/nxagent/NXdixfonts.c @@ -1694,6 +1694,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) GC *pGC; unsigned char *data; ITclosurePtr new_closure; + ITclosurePtr old_closure; /* We're putting the client to sleep. We need to save some state. Similar problem to that handled @@ -1706,6 +1707,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) err = BadAlloc; goto bail; } + old_closure = c; *new_closure = *c; c = new_closure; @@ -1713,6 +1715,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) if (!data) { xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1724,6 +1727,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) { xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } @@ -1742,6 +1746,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) FreeScratchGC(pGC); xfree(c->data); xfree(c); + c = old_closure; err = BadAlloc; goto bail; } |