Xi: integer overflow and unvalidated length in (S)ProcXIBarrierReleasePointer

[jcristau: originally this patch fixed the same issue as commit 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the addition of these checks] This addresses CVE-2017-12179 Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
2015-01-09 10:04:41 -05:00
parent 1b1d4c0469
commit d088e3c128
1 changed files with 5 additions and 0 deletions
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);

    swapl(&stuff->num_barriers);
+    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+        return BadLength;
    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));

    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
    xXIBarrierReleasePointerInfo *info;

    REQUEST(xXIBarrierReleasePointerReq);
+    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+        return BadLength;
    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));

    info = (xXIBarrierReleasePointerInfo*) &stuff[1];