| 1 | From 7d4f361a216718fc7333ab805dafdb9e5c85c180 Mon Sep 17 00:00:00 2001 |
| 2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 3 | Date: Wed, 22 Jan 2014 23:44:46 -0800 |
| 4 | Subject: [PATCH 05/33] dix: integer overflow in REQUEST_FIXED_SIZE() |
| 5 | [CVE-2014-8092 4/4] |
| 6 | |
| 7 | Force use of 64-bit integers when evaluating data provided by clients |
| 8 | in 32-bit fields which can overflow when added or multiplied during |
| 9 | checks. |
| 10 | |
| 11 | Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> |
| 12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 13 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> |
| 14 | --- |
| 15 | include/dix.h | 3 ++- |
| 16 | 1 file changed, 2 insertions(+), 1 deletion(-) |
| 17 | |
| 18 | --- a/include/dix.h |
| 19 | +++ b/include/dix.h |
| 20 | @@ -76,7 +76,8 @@ SOFTWARE. |
| 21 | |
| 22 | #define REQUEST_FIXED_SIZE(req, n)\ |
| 23 | if (((sizeof(req) >> 2) > client->req_len) || \ |
| 24 | - (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \ |
| 25 | + ((n >> 2) >= client->req_len) || \ |
| 26 | + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \ |
| 27 | return(BadLength) |
| 28 | |
| 29 | #define LEGAL_NEW_RESOURCE(id,client)\ |