Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04 (xorg-server 1.15.1)

author: Mike DePaulo <mikedep333@gmail.com> 2015-01-10 12:03:47 -0500
committer: Mike DePaulo <mikedep333@gmail.com> 2015-01-10 12:06:49 -0500
commit: 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch)
tree: f2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/os
parent: 212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff)
download: vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz
vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2
vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip
2 files changed, 10 insertions, 0 deletions
diff --git a/xorg-server/os/access.c b/xorg-server/os/access.c
index 62c3d9925..1caedf6bb 100644
--- a/xorg-server/os/access.c
+++ b/xorg-server/os/access.c
@@ -1500,6 +1500,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
     for (host = validhosts; host; host = host->next) {
         nHosts++;
         n += pad_to_int32(host->len) + sizeof(xHostEntry);
+        /* Could check for INT_MAX, but in reality having more than 1mb of
+           hostnames in the access list is ridiculous */
+        if (n >= 1048576)
+            break;
     }
     if (n) {
         *data = ptr = malloc(n);
@@ -1508,6 +1512,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
         }
         for (host = validhosts; host; host = host->next) {
             len = host->len;
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
+                break;
             ((xHostEntry *) ptr)->family = host->family;
             ((xHostEntry *) ptr)->length = len;
             ptr += sizeof(xHostEntry);
diff --git a/xorg-server/os/rpcauth.c b/xorg-server/os/rpcauth.c
index d60ea3518..413cc6118 100644
--- a/xorg-server/os/rpcauth.c
+++ b/xorg-server/os/rpcauth.c
@@ -66,6 +66,10 @@ authdes_ezdecode(const char *inmsg, int len)
     SVCXPRT xprt;
 
     temp_inmsg = malloc(len);
+    if (temp_inmsg == NULL) {
+        why = AUTH_FAILED; /* generic error, since there is no AUTH_BADALLOC */
+        return NULL;
+    }
     memmove(temp_inmsg, inmsg, len);
 
     memset((char *) &msg, 0, sizeof(msg));
author	Mike DePaulo <mikedep333@gmail.com>	2015-01-10 12:03:47 -0500
committer	Mike DePaulo <mikedep333@gmail.com>	2015-01-10 12:06:49 -0500
commit	7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 (patch)
tree	f2a4bfed7809a8e0bf4d06ec56a80191badba48b /xorg-server/os
parent	212ca5c6023b6b7455ad64b2c29aeff82f301a03 (diff)
download	vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.gz vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.tar.bz2 vcxsrv-7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3.zip