Imported Debian patch 2:1.15.1-0ubuntu2.6
[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0005-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch
1 From 7d4f361a216718fc7333ab805dafdb9e5c85c180 Mon Sep 17 00:00:00 2001
2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
3 Date: Wed, 22 Jan 2014 23:44:46 -0800
4 Subject: [PATCH 05/33] dix: integer overflow in REQUEST_FIXED_SIZE()
5 [CVE-2014-8092 4/4]
6
7 Force use of 64-bit integers when evaluating data provided by clients
8 in 32-bit fields which can overflow when added or multiplied during
9 checks.
10
11 Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
12 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
13 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
14 ---
15 include/dix.h | 3 ++-
16 1 file changed, 2 insertions(+), 1 deletion(-)
17
18 diff --git a/include/dix.h b/include/dix.h
19 index 991a3ce..e0c6ed8 100644
20 --- a/include/dix.h
21 +++ b/include/dix.h
22 @@ -76,7 +76,8 @@ SOFTWARE.
23
24 #define REQUEST_FIXED_SIZE(req, n)\
25 if (((sizeof(req) >> 2) > client->req_len) || \
26 - (((sizeof(req) + (n) + 3) >> 2) != client->req_len)) \
27 + ((n >> 2) >= client->req_len) || \
28 + ((((uint64_t) sizeof(req) + (n) + 3) >> 2) != (uint64_t) client->req_len)) \
29 return(BadLength)
30
31 #define LEGAL_NEW_RESOURCE(id,client)\
32 --
33 1.7.9.2
34