1 From d7b2f5c06259c7e6ba037909adec4c2a5a8b15ec Mon Sep 17 00:00:00 2001
2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
3 Date: Wed, 22 Jan 2014 22:37:15 -0800
4 Subject: [PATCH 04/33] dix: integer overflow in RegionSizeof() [CVE-2014-8092
7 RegionSizeof contains several integer overflows if a large length
8 value is passed in. Once we fix it to return 0 on overflow, we
9 also have to fix the callers to handle this error condition
11 v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
13 Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
14 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
15 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
16 Reviewed-by: Julien Cristau <jcristau@debian.org>
18 dix/region.c | 20 +++++++++++++-------
19 include/regionstr.h | 10 +++++++---
20 2 files changed, 20 insertions(+), 10 deletions(-)
24 @@ -169,7 +169,6 @@ Equipment Corporation.
25 ((r1)->y1 <= (r2)->y1) && \
26 ((r1)->y2 >= (r2)->y2) )
28 -#define xallocData(n) malloc(RegionSizeof(n))
29 #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
31 #define RECTALLOC_BAIL(pReg,n,bail) \
32 @@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->num
33 #define DOWNSIZE(reg,numRects) \
34 if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
36 - RegDataPtr NewData; \
37 - NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects)); \
38 + size_t NewSize = RegionSizeof(numRects); \
39 + RegDataPtr NewData = \
40 + (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ; \
43 NewData->size = (numRects); \
44 @@ -345,17 +345,20 @@ Bool
45 RegionRectAlloc(RegionPtr pRgn, int n)
52 - pRgn->data = xallocData(n);
53 + rgnSize = RegionSizeof(n);
54 + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
56 return RegionBreak(pRgn);
57 pRgn->data->numRects = 1;
58 *RegionBoxptr(pRgn) = pRgn->extents;
60 else if (!pRgn->data->size) {
61 - pRgn->data = xallocData(n);
62 + rgnSize = RegionSizeof(n);
63 + pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
65 return RegionBreak(pRgn);
66 pRgn->data->numRects = 0;
67 @@ -367,7 +370,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
70 n += pRgn->data->numRects;
71 - data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
72 + rgnSize = RegionSizeof(n);
73 + data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
75 return RegionBreak(pRgn);
77 @@ -1312,6 +1316,7 @@ RegionFromRects(int nrects, xRectangle *
85 @@ -1338,7 +1343,8 @@ RegionFromRects(int nrects, xRectangle *
89 - pData = xallocData(nrects);
90 + rgnSize = RegionSizeof(nrects);
91 + pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
95 --- a/include/regionstr.h
96 +++ b/include/regionstr.h
97 @@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
99 RegionSizeof(size_t n)
101 - return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
102 + if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
103 + return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
109 @@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect
110 (_pReg)->data = (RegDataPtr) NULL;
114 (_pReg)->extents = RegionEmptyBox;
115 - if (((_size) > 1) && ((_pReg)->data =
116 - (RegDataPtr) malloc(RegionSizeof(_size)))) {
117 + if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
118 + (((_pReg)->data = malloc(rgnSize)) != NULL)) {
119 (_pReg)->data->size = (_size);
120 (_pReg)->data->numRects = 0;
repositories / deb_xorg-server.git / blob