Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From f07eb544bbcfd9d4c64f036b654f4567f1fd2b9c Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Wed, 22 Jan 2014 23:40:18 -0800 | |
4 | Subject: [PATCH 06/33] dri2: integer overflow in ProcDRI2GetBuffers() | |
5 | [CVE-2014-8094] | |
6 | ||
7 | ProcDRI2GetBuffers() tries to validate a length field (count). | |
8 | There is an integer overflow in the validation. This can cause | |
9 | out of bound reads and memory corruption later on. | |
10 | ||
11 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
13 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
14 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
15 | --- | |
16 | hw/xfree86/dri2/dri2ext.c | 3 +++ | |
17 | 1 file changed, 3 insertions(+) | |
18 | ||
7217e0ca ML |
19 | --- a/hw/xfree86/dri2/dri2ext.c |
20 | +++ b/hw/xfree86/dri2/dri2ext.c | |
4db25562 | 21 | @@ -278,6 +278,9 @@ ProcDRI2GetBuffers(ClientPtr client) |
7217e0ca ML |
22 | unsigned int *attachments; |
23 | ||
24 | REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); | |
25 | + if (stuff->count > (INT_MAX / 4)) | |
26 | + return BadLength; | |
27 | + | |
28 | if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, | |
29 | &pDrawable, &status)) | |
30 | return status; |