diff options
| author | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-04-15 10:16:18 +0200 |
|---|---|---|
| committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-04-15 10:16:18 +0200 |
| commit | 10c40f06e4af9fdb5f34fd09c42c684705662078 (patch) | |
| tree | e3e24fa05b730a364035dc437afd7efc33f9f03b /nxcomp/DecodeBuffer.h | |
| parent | 65543af56f4f97180b8dda998d5d7101d51ac1a3 (diff) | |
| download | nx-libs-10c40f06e4af9fdb5f34fd09c42c684705662078.tar.gz nx-libs-10c40f06e4af9fdb5f34fd09c42c684705662078.tar.bz2 nx-libs-10c40f06e4af9fdb5f34fd09c42c684705662078.zip | |
MakeBigReq: don't move the last word, already handled by Data32 (X.Org CVE-2013-7439).
MakeBigReq inserts a length field after the first 4 bytes of the request
(after req->length), pushing everything else back by 4 bytes.
The current memmove moves everything but the first 4 bytes back. If a
request aligns to the end of the buffer pointer when MakeBigReq is
invoked for that request, this runs over the buffer. Instead, we need to
memmove minus the first 4 bytes (which aren't moved), minus the last 4
bytes (so we still align to the previous tail).
The 4 bytes that fell out are already handled with Data32, which will
handle the buffermax correctly.
The case where req->length = 1 was already not functional.
Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS).
https://bugzilla.mozilla.org/show_bug.cgi?id=803762
Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Diffstat (limited to 'nxcomp/DecodeBuffer.h')
0 files changed, 0 insertions, 0 deletions