From 7e1c3b94f42dfc5e52f0f724b6bf7d03e3b743e3 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sat, 10 Jan 2015 12:03:47 -0500
Subject: Fix CVE-2014-8091..8103. Patches were ported from Ubuntu 14.04
 (xorg-server 1.15.1)

---
 xorg-server/os/access.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'xorg-server/os/access.c')

diff --git a/xorg-server/os/access.c b/xorg-server/os/access.c
index 62c3d9925..1caedf6bb 100644
--- a/xorg-server/os/access.c
+++ b/xorg-server/os/access.c
@@ -1500,6 +1500,10 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
     for (host = validhosts; host; host = host->next) {
         nHosts++;
         n += pad_to_int32(host->len) + sizeof(xHostEntry);
+        /* Could check for INT_MAX, but in reality having more than 1mb of
+           hostnames in the access list is ridiculous */
+        if (n >= 1048576)
+            break;
     }
     if (n) {
         *data = ptr = malloc(n);
@@ -1508,6 +1512,8 @@ GetHosts(void **data, int *pnHosts, int *pLen, BOOL * pEnabled)
         }
         for (host = validhosts; host; host = host->next) {
             len = host->len;
+            if ((ptr + sizeof(xHostEntry) + len) > ((unsigned char *) *data + n))
+                break;
             ((xHostEntry *) ptr)->family = host->family;
             ((xHostEntry *) ptr)->length = len;
             ptr += sizeof(xHostEntry);
-- 
cgit v1.2.3