mirror of
https://gitlab.freedesktop.org/xorg/xserver.git
synced 2025-12-30 20:10:07 +01:00
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit eeae42d60b)
Signed-off-by: Julien Cristau <jcristau@debian.org>
This commit is contained in:
Alan Coopersmith
Julien Cristau
parent
f1365eb0ec
commit
b022d4ef9d
1 changed files with 3 additions and 0 deletions
|
|
@ -1956,6 +1956,9 @@ ProcPutImage(ClientPtr client)
|
|||
tmpImage = (char *) &stuff[1];
|
||||
lengthProto = length;
|
||||
|
||||
if (lengthProto >= (INT32_MAX / stuff->height))
|
||||
return BadLength;
|
||||
|
||||
if ((bytes_to_int32(lengthProto * stuff->height) +
|
||||
bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
|
||||
return BadLength;
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue