From e3e4062c35a5a337ca2edfddb0bf68b8b192fefb Mon Sep 17 00:00:00 2001 From: Keith Packard Date: Tue, 9 Dec 2014 09:30:57 -0800 Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned int [CVE-2014-8097 pt. 2] When the local types used to walk the DBE request were changed, this changed the type of the parameter passed to the DDX SwapBuffers API, but there wasn't a matching change in the API definition. At this point, with the API frozen, I just stuck a new variable in with the correct type. Because we've already bounds-checked nStuff to be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will fit in a signed int without overflow. Signed-off-by: Keith Packard Signed-off-by: Alan Coopersmith Backported-to-NX-by: Ulrich Sibiller --- nx-X11/programs/Xserver/dbe/dbe.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'nx-X11/programs') diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c index 276919e34..58301e158 100644 --- a/nx-X11/programs/Xserver/dbe/dbe.c +++ b/nx-X11/programs/Xserver/dbe/dbe.c @@ -721,7 +721,7 @@ ProcDbeSwapBuffers(client) int error; unsigned int i, j; unsigned int nStuff; - + int nStuff_i; /* DDX API requires int for nStuff */ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); nStuff = stuff->n; /* use local variable for performance. */ @@ -806,10 +806,11 @@ ProcDbeSwapBuffers(client) * could deal with cross-screen synchronization. */ - while (nStuff > 0) + nStuff_i = nStuff; + while (nStuff_i > 0) { pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); - error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff, swapInfo); + error = (*pDbeScreenPriv->SwapBuffers)(client, &nStuff_i, swapInfo); if (error != Success) { free(swapInfo); -- cgit v1.2.3