Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From 7e17b41d2907afd82d668f25694e1da12e34895e Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Wed, 22 Jan 2014 21:11:16 -0800 | |
4 | Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092 | |
5 | 1/4] | |
6 | ||
7 | ProcPutImage() calculates a length field from a width, left pad and depth | |
8 | specified by the client (if the specified format is XYPixmap). | |
9 | ||
10 | The calculations for the total amount of memory the server needs for the | |
11 | pixmap can overflow a 32-bit number, causing out-of-bounds memory writes | |
12 | on 32-bit systems (since the length is stored in a long int variable). | |
13 | ||
14 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
15 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
16 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
17 | --- | |
18 | dix/dispatch.c | 3 +++ | |
19 | 1 file changed, 3 insertions(+) | |
20 | ||
4db25562 JB |
21 | --- a/dix/dispatch.c |
22 | +++ b/dix/dispatch.c | |
23 | @@ -1957,6 +1957,9 @@ ProcPutImage(ClientPtr client) | |
7217e0ca ML |
24 | tmpImage = (char *) &stuff[1]; |
25 | lengthProto = length; | |
26 | ||
27 | + if (lengthProto >= (INT32_MAX / stuff->height)) | |
28 | + return BadLength; | |
29 | + | |
30 | if ((bytes_to_int32(lengthProto * stuff->height) + | |
31 | bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) | |
32 | return BadLength; |