mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-20 05:50:04 +01:00
randr: Check for overflow in RRChangeProviderProperty()
A client might send a request causing an integer overflow when computing the total size to allocate in RRChangeProviderProperty(). To avoid the issue, check that total length in bytes won't exceed the maximum integer value. CVE-2025-49180 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and reported by Julian Suleder via ERNW Vulnerability Disclosure. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024>
This commit is contained in:
Olivier Fourdan
parent
2bde9ca49a
commit
3c3a4b767b
1 changed files with 2 additions and 1 deletions
|
|
@ -182,7 +182,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
|
|||
|
||||
if (mode == PropModeReplace || len > 0) {
|
||||
void *new_data = NULL, *old_data = NULL;
|
||||
|
||||
if (total_len > MAXINT / size_in_bytes)
|
||||
return BadValue;
|
||||
total_size = total_len * size_in_bytes;
|
||||
new_value.data = (void *) malloc(total_size);
|
||||
if (!new_value.data && total_size) {
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue