Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From d7b2f5c06259c7e6ba037909adec4c2a5a8b15ec Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | |
3 | Date: Wed, 22 Jan 2014 22:37:15 -0800 | |
4 | Subject: [PATCH 04/33] dix: integer overflow in RegionSizeof() [CVE-2014-8092 | |
5 | 3/4] | |
6 | ||
7 | RegionSizeof contains several integer overflows if a large length | |
8 | value is passed in. Once we fix it to return 0 on overflow, we | |
9 | also have to fix the callers to handle this error condition | |
10 | ||
11 | v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. | |
12 | ||
13 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> | |
14 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
15 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | |
16 | Reviewed-by: Julien Cristau <jcristau@debian.org> | |
17 | --- | |
18 | dix/region.c | 20 +++++++++++++------- | |
19 | include/regionstr.h | 10 +++++++--- | |
20 | 2 files changed, 20 insertions(+), 10 deletions(-) | |
21 | ||
22 | Index: xorg-server-1.15.1/dix/region.c | |
23 | =================================================================== | |
24 | --- xorg-server-1.15.1.orig/dix/region.c 2014-12-05 08:24:42.034665485 -0500 | |
25 | +++ xorg-server-1.15.1/dix/region.c 2014-12-05 08:24:42.030665458 -0500 | |
26 | @@ -169,7 +169,6 @@ | |
27 | ((r1)->y1 <= (r2)->y1) && \ | |
28 | ((r1)->y2 >= (r2)->y2) ) | |
29 | ||
30 | -#define xallocData(n) malloc(RegionSizeof(n)) | |
31 | #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data) | |
32 | ||
33 | #define RECTALLOC_BAIL(pReg,n,bail) \ | |
34 | @@ -205,8 +204,9 @@ | |
35 | #define DOWNSIZE(reg,numRects) \ | |
36 | if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \ | |
37 | { \ | |
38 | - RegDataPtr NewData; \ | |
39 | - NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \ | |
40 | + size_t NewSize = RegionSizeof(numRects); \ | |
41 | + RegDataPtr NewData = \ | |
42 | + (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \ | |
43 | if (NewData) \ | |
44 | { \ | |
45 | NewData->size = (numRects); \ | |
46 | @@ -345,17 +345,20 @@ | |
47 | RegionRectAlloc(RegionPtr pRgn, int n) | |
48 | { | |
49 | RegDataPtr data; | |
50 | + size_t rgnSize; | |
51 | ||
52 | if (!pRgn->data) { | |
53 | n++; | |
54 | - pRgn->data = xallocData(n); | |
55 | + rgnSize = RegionSizeof(n); | |
56 | + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; | |
57 | if (!pRgn->data) | |
58 | return RegionBreak(pRgn); | |
59 | pRgn->data->numRects = 1; | |
60 | *RegionBoxptr(pRgn) = pRgn->extents; | |
61 | } | |
62 | else if (!pRgn->data->size) { | |
63 | - pRgn->data = xallocData(n); | |
64 | + rgnSize = RegionSizeof(n); | |
65 | + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL; | |
66 | if (!pRgn->data) | |
67 | return RegionBreak(pRgn); | |
68 | pRgn->data->numRects = 0; | |
69 | @@ -367,7 +370,8 @@ | |
70 | n = 250; | |
71 | } | |
72 | n += pRgn->data->numRects; | |
73 | - data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n)); | |
74 | + rgnSize = RegionSizeof(n); | |
75 | + data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL; | |
76 | if (!data) | |
77 | return RegionBreak(pRgn); | |
78 | pRgn->data = data; | |
79 | @@ -1312,6 +1316,7 @@ | |
80 | { | |
81 | ||
82 | RegionPtr pRgn; | |
83 | + size_t rgnSize; | |
84 | RegDataPtr pData; | |
85 | BoxPtr pBox; | |
86 | int i; | |
87 | @@ -1338,7 +1343,8 @@ | |
88 | } | |
89 | return pRgn; | |
90 | } | |
91 | - pData = xallocData(nrects); | |
92 | + rgnSize = RegionSizeof(nrects); | |
93 | + pData = (rgnSize > 0) ? malloc(rgnSize) : NULL; | |
94 | if (!pData) { | |
95 | RegionBreak(pRgn); | |
96 | return pRgn; | |
97 | Index: xorg-server-1.15.1/include/regionstr.h | |
98 | =================================================================== | |
99 | --- xorg-server-1.15.1.orig/include/regionstr.h 2014-12-05 08:24:42.034665485 -0500 | |
100 | +++ xorg-server-1.15.1/include/regionstr.h 2014-12-05 08:24:42.030665458 -0500 | |
101 | @@ -127,7 +127,10 @@ | |
102 | static inline size_t | |
103 | RegionSizeof(size_t n) | |
104 | { | |
105 | - return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); | |
106 | + if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec))) | |
107 | + return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec))); | |
108 | + else | |
109 | + return 0; | |
110 | } | |
111 | ||
112 | static inline void | |
113 | @@ -138,9 +141,10 @@ | |
114 | (_pReg)->data = (RegDataPtr) NULL; | |
115 | } | |
116 | else { | |
117 | + size_t rgnSize; | |
118 | (_pReg)->extents = RegionEmptyBox; | |
119 | - if (((_size) > 1) && ((_pReg)->data = | |
120 | - (RegDataPtr) malloc(RegionSizeof(_size)))) { | |
121 | + if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) && | |
122 | + (((_pReg)->data = malloc(rgnSize)) != NULL)) { | |
123 | (_pReg)->data->size = (_size); | |
124 | (_pReg)->data->numRects = 0; | |
125 | } |