| 1 | From f07eb544bbcfd9d4c64f036b654f4567f1fd2b9c Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 3 | Date: Wed, 22 Jan 2014 23:40:18 -0800 |
| 4 | Subject: [PATCH 06/33] dri2: integer overflow in ProcDRI2GetBuffers() |
| 5 | [CVE-2014-8094] |
| 6 | |
| 7 | ProcDRI2GetBuffers() tries to validate a length field (count). |
| 8 | There is an integer overflow in the validation. This can cause |
| 9 | out of bound reads and memory corruption later on. |
| 10 | |
| 11 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> |
| 12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 13 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 14 | Reviewed-by: Julien Cristau <jcristau@debian.org> |
| 15 | --- |
| 16 | hw/xfree86/dri2/dri2ext.c | 3 +++ |
| 17 | 1 file changed, 3 insertions(+) |
| 18 | |
| 19 | --- a/hw/xfree86/dri2/dri2ext.c |
| 20 | +++ b/hw/xfree86/dri2/dri2ext.c |
| 21 | @@ -278,6 +278,9 @@ ProcDRI2GetBuffers(ClientPtr client) |
| 22 | unsigned int *attachments; |
| 23 | |
| 24 | REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4); |
| 25 | + if (stuff->count > (INT_MAX / 4)) |
| 26 | + return BadLength; |
| 27 | + |
| 28 | if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess, |
| 29 | &pDrawable, &status)) |
| 30 | return status; |