| 1 | From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001 |
| 2 | From: Keith Packard <keithp@keithp.com> |
| 3 | Date: Tue, 9 Dec 2014 09:30:57 -0800 |
| 4 | Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned |
| 5 | int [CVE-2014-8097 pt. 2] |
| 6 | |
| 7 | When the local types used to walk the DBE request were changed, this |
| 8 | changed the type of the parameter passed to the DDX SwapBuffers API, |
| 9 | but there wasn't a matching change in the API definition. |
| 10 | |
| 11 | At this point, with the API frozen, I just stuck a new variable in |
| 12 | with the correct type. Because we've already bounds-checked nStuff to |
| 13 | be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will |
| 14 | fit in a signed int without overflow. |
| 15 | |
| 16 | Signed-off-by: Keith Packard <keithp@keithp.com |
| 17 | Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 18 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> |
| 19 | |
| 20 | --- a/dbe/dbe.c |
| 21 | +++ b/dbe/dbe.c |
| 22 | @@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client) |
| 23 | int error; |
| 24 | unsigned int i, j; |
| 25 | unsigned int nStuff; |
| 26 | + int nStuff_i; /* DDX API requires int for nStuff */ |
| 27 | |
| 28 | REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); |
| 29 | nStuff = stuff->n; /* use local variable for performance. */ |
| 30 | @@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) |
| 31 | * could deal with cross-screen synchronization. |
| 32 | */ |
| 33 | |
| 34 | - while (nStuff > 0) { |
| 35 | + nStuff_i = nStuff; |
| 36 | + while (nStuff_i > 0) { |
| 37 | pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); |
| 38 | - error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); |
| 39 | + error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); |
| 40 | if (error != Success) { |
| 41 | free(swapInfo); |
| 42 | return error; |