Overview

File U_CVE-2025-49179-record-Check-for-overflow-in-RecordSanityCheckRegist.patch of Package xwayland.39024

From 244101ac9d4c6963416cfc74f2174d440f1cb4b6 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Mon, 28 Apr 2025 11:47:15 +0200
Subject: [PATCH xserver] record: Check for overflow in
 RecordSanityCheckRegisterClients()

The RecordSanityCheckRegisterClients() checks for the request length,
but does not check for integer overflow.

A client might send a very large value for either the number of clients
or the number of protocol ranges that will cause an integer overflow in
the request length computation, defeating the check for request length.

To avoid the issue, explicitly check the number of clients against the
limit of clients (which is much lower than an maximum integer value) and
the number of protocol ranges (multiplied by the record length) do not
exceed the maximum integer value.

This way, we ensure that the final computation for the request length
will not overflow the maximum integer limit.

CVE-2025-49179

This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
reported by Julian Suleder via ERNW Vulnerability Disclosure.

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 record/record.c | 8 ++++++++
 1 file changed, 8 insertions(+)

Index: xwayland-24.1.6/record/record.c
===================================================================
--- xwayland-24.1.6.orig/record/record.c
+++ xwayland-24.1.6/record/record.c
@@ -37,6 +37,7 @@ and Jim Haggerty of Metheus.
 #endif
 
 #include "dix/eventconvert.h"
+#include "os/osdep.h"
 
 #include "dixstruct.h"
 #include "extnsionst.h"
@@ -1299,6 +1300,13 @@ RecordSanityCheckRegisterClients(RecordC
     int i;
     XID recordingClient;
 
+    /* LIMITCLIENTS is 2048 at max, way less that MAXINT */
+    if (stuff->nClients > LIMITCLIENTS)
+        return BadValue;
+
+    if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange))
+        return BadValue;
+
     if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) !=
         4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges)
         return BadLength;
openSUSE Build Service is sponsored by
Places