fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-20 12:50:04 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

record: Fix OOB access in ProcRecordUnregisterClients

Browse source 
If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.

An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);

Reviewed-by: Adam Jackson <ajax@redhat.com>
(cherry picked from commit 40c12a76c2)
This commit is contained in:
Tobias Stoeckmann 2017-03-19 17:55:07 +01:00 committed by Olivier Fourdan
parent 3166138ea6
commit e23000d83f
1 changed files with 2 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
record/record.c
View file

@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
int i; int i;
REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq); REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) != if (INT_MAX / 4 < stuff->nClients ||
(client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
4 * stuff->nClients) 4 * stuff->nClients)
return BadLength; return BadLength;
VERIFY_CONTEXT(pContext, stuff->context, client); VERIFY_CONTEXT(pContext, stuff->context, client);