| 1 | From 7e17b41d2907afd82d668f25694e1da12e34895e Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 3 | Date: Wed, 22 Jan 2014 21:11:16 -0800 |
| 4 | Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092 |
| 5 | 1/4] |
| 6 | |
| 7 | ProcPutImage() calculates a length field from a width, left pad and depth |
| 8 | specified by the client (if the specified format is XYPixmap). |
| 9 | |
| 10 | The calculations for the total amount of memory the server needs for the |
| 11 | pixmap can overflow a 32-bit number, causing out-of-bounds memory writes |
| 12 | on 32-bit systems (since the length is stored in a long int variable). |
| 13 | |
| 14 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> |
| 15 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 16 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 17 | --- |
| 18 | dix/dispatch.c | 3 +++ |
| 19 | 1 file changed, 3 insertions(+) |
| 20 | |
| 21 | --- a/dix/dispatch.c |
| 22 | +++ b/dix/dispatch.c |
| 23 | @@ -1957,6 +1957,9 @@ ProcPutImage(ClientPtr client) |
| 24 | tmpImage = (char *) &stuff[1]; |
| 25 | lengthProto = length; |
| 26 | |
| 27 | + if (lengthProto >= (INT32_MAX / stuff->height)) |
| 28 | + return BadLength; |
| 29 | + |
| 30 | if ((bytes_to_int32(lengthProto * stuff->height) + |
| 31 | bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) |
| 32 | return BadLength; |