From cbc2d300b984d7ebc789deac0642104f223c2920 Mon Sep 17 00:00:00 2001 From: Peter Harris Date: Tue, 14 Feb 2017 15:19:18 +0000 Subject: Fix overflow of ConnectionOutput->size and ->count commit 4b0d0df34f10a88c10cb23dd50087b59f5c4fece Author: Peter Harris Date: Mon Nov 17 14:31:24 2014 -0500 Fix overflow of ConnectionOutput->size and ->count When (long) is larger than (int), and when realloc succeeds with sizes larger than INT_MAX, ConnectionOutput->size and ConnectionOutput->count overflow and become negative. When ConnectionOutput->count is negative, InsertIOV does not actually insert an IOV, and FlushClient goes into an infinite loop of writev(fd, iov, 0) [an empty list]. Avoid this situation by killing the client when it has more than INT_MAX unread bytes of data. Signed-off-by: Peter Harris Reviewed-by: Keith Packard Signed-off-by: Keith Packard Backported-to-NX-by: Mike Gabriel --- nx-X11/programs/Xserver/os/io.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/nx-X11/programs/Xserver/os/io.c b/nx-X11/programs/Xserver/os/io.c index f4da96518..4dc1e7a34 100644 --- a/nx-X11/programs/Xserver/os/io.c +++ b/nx-X11/programs/Xserver/os/io.c @@ -1087,10 +1087,11 @@ FlushClient(ClientPtr who, OsCommPtr oc, const void *__extraBuf, int extraCount) if (notWritten > oco->size) { - unsigned char *obuf; + unsigned char *obuf = NULL; - obuf = (unsigned char *)realloc(oco->buf, - notWritten + BUFSIZE); + if (notWritten + BUFSIZE <= INT_MAX) { + obuf = realloc(oco->buf, notWritten + BUFSIZE); + } if (!obuf) { _XSERVTransDisconnect(oc->trans_conn); -- cgit v1.2.3