Commit | Line | Data |
---|---|---|
7217e0ca ML |
1 | From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001 |
2 | From: Keith Packard <keithp@keithp.com> | |
3 | Date: Tue, 9 Dec 2014 09:30:57 -0800 | |
4 | Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned | |
5 | int [CVE-2014-8097 pt. 2] | |
6 | ||
7 | When the local types used to walk the DBE request were changed, this | |
8 | changed the type of the parameter passed to the DDX SwapBuffers API, | |
9 | but there wasn't a matching change in the API definition. | |
10 | ||
11 | At this point, with the API frozen, I just stuck a new variable in | |
12 | with the correct type. Because we've already bounds-checked nStuff to | |
13 | be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will | |
14 | fit in a signed int without overflow. | |
15 | ||
16 | Signed-off-by: Keith Packard <keithp@keithp.com | |
17 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
18 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | |
19 | ||
7217e0ca ML |
20 | --- a/dbe/dbe.c |
21 | +++ b/dbe/dbe.c | |
22 | @@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client) | |
23 | int error; | |
24 | unsigned int i, j; | |
25 | unsigned int nStuff; | |
26 | + int nStuff_i; /* DDX API requires int for nStuff */ | |
27 | ||
28 | REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); | |
29 | nStuff = stuff->n; /* use local variable for performance. */ | |
30 | @@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) | |
31 | * could deal with cross-screen synchronization. | |
32 | */ | |
33 | ||
34 | - while (nStuff > 0) { | |
35 | + nStuff_i = nStuff; | |
36 | + while (nStuff_i > 0) { | |
37 | pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); | |
38 | - error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); | |
39 | + error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); | |
40 | if (error != Success) { | |
41 | free(swapInfo); | |
42 | return error; |