fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2026-01-03 21:00:11 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

CVE-2008-1379 - MIT-SHM arbitrary memory read

Browse source 
An integer overflow in the validation of the parameters of the
ShmPutImage() request makes it possible to trigger the copy of
arbitrary server memory to a pixmap that can subsequently be read by
the client, to read arbitrary parts of the X server memory space.
(cherry picked from commit 063f18ef6d)
This commit is contained in:
Matthieu Herrb 2008-06-10 12:20:43 -06:00 committed by Jeremy Huddleston
parent 2af571dbf1
commit b0a9b42961
1 changed files with 11 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
Xext/shm.c
View file

@ -841,8 +841,17 @@ ProcShmPutImage(client)
return BadValue;
}
VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
client);
/*
* There's a potential integer overflow in this check:
* VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
* client);
* the version below ought to avoid it
*/
if (stuff->totalHeight != 0 &&
length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
client->errorValue = stuff->totalWidth;
return BadValue;
}
if (stuff->srcX > stuff->totalWidth)
{
client->errorValue = stuff->srcX;