Overview

File U_0006-dbe-Unvalidated-variable-length-request-in-ProcDbeGe.patch of Package xorg-x11-server.24940

From 4ca68b878e851e2136c234f40a25008297d8d831 Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 10:09:14 -0500
Subject: [PATCH 6/7] dbe: Unvalidated variable-length request in
 ProcDbeGetVisualInfo (CVE-2017-12177)

v2: Protect against integer overflow (Alan Coopersmith)

Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
---
 dbe/dbe.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/dbe/dbe.c b/dbe/dbe.c
index 9a0c7a701..292a22366 100644
--- a/dbe/dbe.c
+++ b/dbe/dbe.c
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
     XdbeScreenVisualInfo *pScrVisInfo;
 
     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+    if (stuff->n > UINT32_MAX / sizeof(CARD32))
+        return BadLength;
+    REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
 
     if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
         return BadAlloc;
@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
 
     swapl(&stuff->n);
     if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
-        return BadAlloc;
+        return BadLength;
     REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
 
     if (stuff->n != 0) {
-- 
2.13.6
openSUSE Build Service is sponsored by
Places