diff options
| author | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
|---|---|---|
| committer | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
| commit | 0f3cca7b69ea6711c8f1963eb213ce8f1629091f (patch) | |
| tree | 0df630c725acaa3516f27a36ec9c0194fbb132ad /xorg-server/dix | |
| parent | 9380c3137260167265f1b528dd3687517cf9449a (diff) | |
| download | vcxsrv-0f3cca7b69ea6711c8f1963eb213ce8f1629091f.tar.gz vcxsrv-0f3cca7b69ea6711c8f1963eb213ce8f1629091f.tar.bz2 vcxsrv-0f3cca7b69ea6711c8f1963eb213ce8f1629091f.zip | |
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/dix')
| -rw-r--r-- | xorg-server/dix/dispatch.c | 3 | ||||
| -rw-r--r-- | xorg-server/dix/region.c | 20 |
2 files changed, 16 insertions, 7 deletions
diff --git a/xorg-server/dix/dispatch.c b/xorg-server/dix/dispatch.c index 28a54de76..67dbce6e1 100644 --- a/xorg-server/dix/dispatch.c +++ b/xorg-server/dix/dispatch.c @@ -2002,6 +2002,9 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1];
lengthProto = length;
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if ((bytes_to_int32(lengthProto * stuff->height) +
bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
return BadLength;
diff --git a/xorg-server/dix/region.c b/xorg-server/dix/region.c index 15f3d01a5..e5eed0150 100644 --- a/xorg-server/dix/region.c +++ b/xorg-server/dix/region.c @@ -169,7 +169,6 @@ Equipment Corporation. ((r1)->y1 <= (r2)->y1) && \ ((r1)->y2 >= (r2)->y2) ) -#define xallocData(n) malloc(RegionSizeof(n)) #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) #define RECTALLOC_BAIL(pReg,n,bail) \ @@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \ #define DOWNSIZE(reg,numRects) \ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ { \ - RegDataPtr NewData; \ - NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ + size_t NewSize = RegionSizeof(numRects); \ + RegDataPtr NewData = \ + (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ if (NewData) \ { \ NewData->size = (numRects); \ @@ -345,17 +345,20 @@ Bool RegionRectAlloc(RegionPtr pRgn, int n) { RegDataPtr data; + size_t rgnSize; if (!pRgn->data) { n++; - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak(pRgn); pRgn->data->numRects = 1; *RegionBoxptr(pRgn) = pRgn->extents; } else if (!pRgn->data->size) { - pRgn->data = xallocData(n); + rgnSize = RegionSizeof(n); + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pRgn->data) return RegionBreak(pRgn); pRgn->data->numRects = 0; @@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) n = 250; } n += pRgn->data->numRects; - data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); + rgnSize = RegionSizeof(n); + data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; if (!data) return RegionBreak(pRgn); pRgn->data = data; @@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype) { RegionPtr pRgn; + size_t rgnSize; RegDataPtr pData; BoxPtr pBox; int i; @@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype) } return pRgn; } - pData = xallocData(nrects); + rgnSize = RegionSizeof(nrects); + pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; if (!pData) { RegionBreak(pRgn); return pRgn; |