Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
libXfixes.3298
U_Integer-overflow-on-illegal-server-response.p...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_Integer-overflow-on-illegal-server-response.patch of Package libXfixes.3298
From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann <tobias@stoeckmann.org> Date: Sun, 25 Sep 2016 22:38:44 +0200 Subject: [PATCH] Integer overflow on illegal server response The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In that case the client won't read the whole data from server, getting out of sync. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> --- src/Region.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/Region.c b/src/Region.c index cb0cf6e..59bcc1a 100644 --- a/src/Region.c +++ b/src/Region.c @@ -23,6 +23,7 @@ #ifdef HAVE_CONFIG_H #include <config.h> #endif +#include <limits.h> #include "Xfixesint.h" XserverRegion @@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display *dpy, bounds->y = rep.y; bounds->width = rep.width; bounds->height = rep.height; - nbytes = (long) rep.length << 2; - nrects = rep.length >> 1; - rects = Xmalloc (nrects * sizeof (XRectangle)); + + if (rep.length < (INT_MAX >> 2)) { + nbytes = (long) rep.length << 2; + nrects = rep.length >> 1; + rects = Xmalloc (nrects * sizeof (XRectangle)); + } else { + nbytes = 0; + nrects = 0; + rects = NULL; + } + if (!rects) { _XEatDataWords(dpy, rep.length); -- 2.6.6
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor