diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:06:49 -0500 |
commit | 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch) | |
tree | f2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/os/access.c | |
parent | 212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff) | |
download | vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2 vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip |
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/os/access.c')
-rw-r--r-- | xorg-server/os/access.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xorg-server/os/access.c b/xorg-server/os/access.c index 62c3d9925..1caedf6bb 100644 --- a/xorg-server/os/access.c +++ b/xorg-server/os/access.c @@ -1500,6 +1500,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) for (host = validhosts; host; host = host->next) { nHosts++; n += pad_to_int32(host->len) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ + if (n >= 1048576) + break; } if (n) { *data = ptr = malloc(n); @@ -1508,6 +1512,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) } for (host = validhosts; host; host = host->next) { len = host->len; + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; ((xHostEntry *) ptr)->family = host->family; ((xHostEntry *) ptr)->length = len; ptr += sizeof(xHostEntry); |