diff options
Diffstat (limited to 'nx-X11/programs/Xserver/Xext')
| -rw-r--r-- | nx-X11/programs/Xserver/Xext/security.c | 10 | ||||
| -rw-r--r-- | nx-X11/programs/Xserver/Xext/security.c.NX.original | 10 | ||||
| -rw-r--r-- | nx-X11/programs/Xserver/Xext/security.c.X.original | 10 | ||||
| -rw-r--r-- | nx-X11/programs/Xserver/Xext/shm.c | 13 |
4 files changed, 32 insertions, 11 deletions
diff --git a/nx-X11/programs/Xserver/Xext/security.c b/nx-X11/programs/Xserver/Xext/security.c index cee89354a..e3cca43eb 100644 --- a/nx-X11/programs/Xserver/Xext/security.c +++ b/nx-X11/programs/Xserver/Xext/security.c @@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/security.c.NX.original b/nx-X11/programs/Xserver/Xext/security.c.NX.original index cee89354a..e3cca43eb 100644 --- a/nx-X11/programs/Xserver/Xext/security.c.NX.original +++ b/nx-X11/programs/Xserver/Xext/security.c.NX.original @@ -813,15 +813,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/security.c.X.original b/nx-X11/programs/Xserver/Xext/security.c.X.original index 765769a7c..c6a516733 100644 --- a/nx-X11/programs/Xserver/Xext/security.c.X.original +++ b/nx-X11/programs/Xserver/Xext/security.c.X.original @@ -652,15 +652,19 @@ SProcSecurityGenerateAuthorization( register char n; CARD32 *values; unsigned long nvalues; + int values_offset; swaps(&stuff->length, n); REQUEST_AT_LEAST_SIZE(xSecurityGenerateAuthorizationReq); swaps(&stuff->nbytesAuthProto, n); swaps(&stuff->nbytesAuthData, n); swapl(&stuff->valueMask, n); - values = (CARD32 *)(&stuff[1]) + - ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + - ((stuff->nbytesAuthData + (unsigned)3) >> 2); + values_offset = ((stuff->nbytesAuthProto + (unsigned)3) >> 2) + + ((stuff->nbytesAuthData + (unsigned)3) >> 2); + if (values_offset > + stuff->length - (sz_xSecurityGenerateAuthorizationReq >> 2)) + return BadLength; + values = (CARD32 *)(&stuff[1]) + values_offset; nvalues = (((CARD32 *)stuff) + stuff->length) - values; SwapLongs(values, nvalues); return ProcSecurityGenerateAuthorization(client); diff --git a/nx-X11/programs/Xserver/Xext/shm.c b/nx-X11/programs/Xserver/Xext/shm.c index e2cf8cd24..f25bb9b5d 100644 --- a/nx-X11/programs/Xserver/Xext/shm.c +++ b/nx-X11/programs/Xserver/Xext/shm.c @@ -863,8 +863,17 @@ ProcShmPutImage(client) return BadValue; } - VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, - client); + /* + * There's a potential integer overflow in this check: + * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight, + * client); + * the version below ought to avoid it + */ + if (stuff->totalHeight != 0 && + length > (shmdesc->size - stuff->offset)/stuff->totalHeight) { + client->errorValue = stuff->totalWidth; + return BadValue; + } if (stuff->srcX > stuff->totalWidth) { client->errorValue = stuff->srcX; |