diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:03:47 -0500 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-01-10 12:06:49 -0500 |
commit | 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch) | |
tree | f2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/os | |
parent | 212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff) | |
download | vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2 vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip |
Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)
Diffstat (limited to 'xorg-server/os')
-rw-r--r-- | xorg-server/os/access.c | 6 | ||||
-rw-r--r-- | xorg-server/os/rpcauth.c | 4 |
2 files changed, 10 insertions, 0 deletions
diff --git a/xorg-server/os/access.c b/xorg-server/os/access.c index 62c3d9925..1caedf6bb 100644 --- a/xorg-server/os/access.c +++ b/xorg-server/os/access.c @@ -1500,6 +1500,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) for (host = validhosts; host; host = host->next) { nHosts++; n += pad_to_int32(host->len) + sizeof(xHostEntry); + /* Could check for INT_MAX, but in reality having more than 1mb of + hostnames in the access list is ridiculous */ + if (n >= 1048576) + break; } if (n) { *data = ptr = malloc(n); @@ -1508,6 +1512,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled) } for (host = validhosts; host; host = host->next) { len = host->len; + if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n)) + break; ((xHostEntry *) ptr)->family = host->family; ((xHostEntry *) ptr)->length = len; ptr += sizeof(xHostEntry); diff --git a/xorg-server/os/rpcauth.c b/xorg-server/os/rpcauth.c index d60ea3518..413cc6118 100644 --- a/xorg-server/os/rpcauth.c +++ b/xorg-server/os/rpcauth.c @@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len) SVCXPRT xprt; temp_inmsg = malloc(len); + if (temp_inmsg == NULL) { + why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */ + return NULL; + } memmove(temp_inmsg, inmsg, len); memset((char *) &msg, 0, sizeof(msg)); |