SwallowOS/xserver_xsdl
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]

Browse Source 
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.

This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
Alan Coopersmith
2014-01-26 10:54:41 -08:00
parent 2ef42519c4
commit 73c63afb93
17 changed files with 94 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
Xi/sendexev.c
View File

@@ -135,6 +135,9 @@ ProcXSendExtensionEvent(ClientPtr client)
if (ret != Success)
return ret;
if (stuff->num_events == 0)
return ret;
/* The client's event type must be one defined by an extension. */
first = ((xEvent *) &stuff[1]);