Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From d7b2f5c06259c7e6ba037909adec4c2a5a8b15ec Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Wed, 22 Jan 2014 22:37:15 -0800 | |
4 | Subject: [PATCH 04/33] dix: integer overflow in RegionSizeof() [CVE-2014-8092 | |
5 | 3/4] | |
6 | ||
7 | RegionSizeof contains several integer overflows if a large length | |
8 | value is passed in. Once we fix it to return 0 on overflow, we | |
9 | also have to fix the callers to handle this error condition | |
10 | ||
11 | v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. | |
12 | ||
13 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
15 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
16 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
17 | --- | |
18 | dix/region.c | 20 +++++++++++++------- | |
19 | include/regionstr.h | 10 +++++++--- | |
20 | 2 files changed, 20 insertions(+), 10 deletions(-) | |
21 | ||
4db25562 JB |
22 | --- a/dix/region.c |
23 | +++ b/dix/region.c | |
24 | @@ -169,7 +169,6 @@ Equipment Corporation. | |
7217e0ca ML |
25 | ((r1)->y1 <= (r2)->y1) && \ |
26 | ((r1)->y2 >= (r2)->y2) ) | |
27 | ||
28 | -#define xallocData(n) malloc(RegionSizeof(n)) | |
29 | #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) | |
30 | ||
31 | #define RECTALLOC_BAIL(pReg,n,bail) \ | |
4db25562 | 32 | @@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num |
7217e0ca ML |
33 | #define DOWNSIZE(reg,numRects) \ |
34 | if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ | |
35 | { \ | |
36 | - RegDataPtr NewData; \ | |
37 | - NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ | |
38 | + size_t NewSize = RegionSizeof(numRects); \ | |
39 | + RegDataPtr NewData = \ | |
40 | + (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ | |
41 | if (NewData) \ | |
42 | { \ | |
43 | NewData->size = (numRects); \ | |
4db25562 | 44 | @@ -345,17 +345,20 @@ Bool |
7217e0ca ML |
45 | RegionRectAlloc(RegionPtr pRgn, int n) |
46 | { | |
47 | RegDataPtr data; | |
48 | + size_t rgnSize; | |
49 | ||
50 | if (!pRgn->data) { | |
51 | n++; | |
52 | - pRgn->data = xallocData(n); | |
53 | + rgnSize = RegionSizeof(n); | |
54 | + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; | |
55 | if (!pRgn->data) | |
56 | return RegionBreak(pRgn); | |
57 | pRgn->data->numRects = 1; | |
58 | *RegionBoxptr(pRgn) = pRgn->extents; | |
59 | } | |
60 | else if (!pRgn->data->size) { | |
61 | - pRgn->data = xallocData(n); | |
62 | + rgnSize = RegionSizeof(n); | |
63 | + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; | |
64 | if (!pRgn->data) | |
65 | return RegionBreak(pRgn); | |
66 | pRgn->data->numRects = 0; | |
4db25562 | 67 | @@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n) |
7217e0ca ML |
68 | n = 250; |
69 | } | |
70 | n += pRgn->data->numRects; | |
71 | - data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); | |
72 | + rgnSize = RegionSizeof(n); | |
73 | + data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; | |
74 | if (!data) | |
75 | return RegionBreak(pRgn); | |
76 | pRgn->data = data; | |
4db25562 | 77 | @@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle * |
7217e0ca ML |
78 | { |
79 | ||
80 | RegionPtr pRgn; | |
81 | + size_t rgnSize; | |
82 | RegDataPtr pData; | |
83 | BoxPtr pBox; | |
84 | int i; | |
4db25562 | 85 | @@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle * |
7217e0ca ML |
86 | } |
87 | return pRgn; | |
88 | } | |
89 | - pData = xallocData(nrects); | |
90 | + rgnSize = RegionSizeof(nrects); | |
91 | + pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; | |
92 | if (!pData) { | |
93 | RegionBreak(pRgn); | |
94 | return pRgn; | |
4db25562 JB |
95 | --- a/include/regionstr.h |
96 | +++ b/include/regionstr.h | |
97 | @@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg) | |
7217e0ca ML |
98 | static inline size_t |
99 | RegionSizeof(size_t n) | |
100 | { | |
101 | - return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); | |
102 | + if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) | |
103 | + return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); | |
104 | + else | |
105 | + return 0; | |
106 | } | |
107 | ||
108 | static inline void | |
4db25562 | 109 | @@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect |
7217e0ca ML |
110 | (_pReg)->data = (RegDataPtr) NULL; |
111 | } | |
112 | else { | |
113 | + size_t rgnSize; | |
114 | (_pReg)->extents = RegionEmptyBox; | |
115 | - if (((_size) > 1) && ((_pReg)->data = | |
116 | - (RegDataPtr) malloc(RegionSizeof(_size)))) { | |
117 | + if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && | |
118 | + (((_pReg)->data = malloc(rgnSize)) != NULL)) { | |
119 | (_pReg)->data->size = (_size); | |
120 | (_pReg)->data->numRects = 0; | |
121 | } |