File U_Xi-Test-exact-size-of-XIBarrierReleasePointer... of Package xorg-x11-server.33719

Overview Repositories Revisions Requests Users Attributes Meta

File U_Xi-Test-exact-size-of-XIBarrierReleasePointer.patch of Package xorg-x11-server.33719

From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Fri, 7 Jul 2017 17:21:46 +0200
Subject: [PATCH] Xi: Test exact size of XIBarrierReleasePointer

Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 Xi/xibarriers.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c
index af1562ed2..d82ecb6a5 100644
--- a/Xi/xibarriers.c
+++ b/Xi/xibarriers.c
@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
     REQUEST(xXIBarrierReleasePointerReq);
     int i;
 
-    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
-
     swaps(&stuff->length);
+    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+
     swapl(&stuff->num_barriers);
+    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+    info = (xXIBarrierReleasePointerInfo*) &stuff[1];
     for (i = 0; i < stuff->num_barriers; i++, info++) {
         swaps(&info->deviceid);
         swapl(&info->barrier);
@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
     xXIBarrierReleasePointerInfo *info;
 
     REQUEST(xXIBarrierReleasePointerReq);
-    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+    REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
 
     info = (xXIBarrierReleasePointerInfo*) &stuff[1];
     for (i = 0; i < stuff->num_barriers; i++, info++) {
-- 
2.13.6

Places

File U_Xi-Test-exact-size-of-XIBarrierReleasePointer.patch of Package xorg-x11-server.33719

Places