Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From f07eb544bbcfd9d4c64f036b654f4567f1fd2b9c Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Wed, 22 Jan 2014 23:40:18 -0800 | |
4 | Subject: [PATCH 06/33] dri2: integer overflow in ProcDRI2GetBuffers() | |
5 | [CVE-2014-8094] | |
6 | ||
7 | ProcDRI2GetBuffers() tries to validate a length field (count). | |
8 | There is an integer overflow in the validation. This can cause | |
9 | out of bound reads and memory corruption later on. | |
10 | ||
11 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
13 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
14 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
15 | --- | |
16 | hw/xfree86/dri2/dri2ext.c | 3 +++ | |
17 | 1 file changed, 3 insertions(+) | |
18 | ||
19 | diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c | |
20 | index ffd66fa..221ec53 100644 | |
21 | --- a/hw/xfree86/dri2/dri2ext.c | |
22 | +++ b/hw/xfree86/dri2/dri2ext.c | |
23 | @@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client) | |
24 | unsigned int *attachments; | |
25 | ||
26 | REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); | |
27 | + if (stuff->count > (INT_MAX / 4)) | |
28 | + return BadLength; | |
29 | + | |
30 | if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, | |
31 | &pDrawable, &status)) | |
32 | return status; | |
33 | -- | |
34 | 1.7.9.2 | |
35 |