fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-30 14:20:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

CVE-2008-1379 - MIT-SHM arbitrary memory read

Browse source 
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
This commit is contained in:
Matthieu Herrb 2008-06-08 11:16:23 -06:00 committed by Matthieu Herrb
parent 8ffaf61370
commit 08e6292e7e
1 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
Xext/shm.c
View file

@ -848,8 +848,17 @@ ProcShmPutImage(client)
return BadValue;
}
VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
client);
/*
* There's a potential integer overflow in this check:
* VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
* client);
* the version below ought to avoid it
*/
if (stuff->totalHeight != 0 &&
length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
client->errorValue = stuff->totalWidth;
return BadValue;
}
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;