[X2Go-Commits] [nx-libs] 25/40: dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
git-admin at x2go.org
git-admin at x2go.org
Sat Jun 20 00:03:28 CEST 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.6.x
in repository nx-libs.
commit 8623faa422c3659903bdb5d19eb8947579e6141f
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Wed Jan 22 21:11:16 2014 -0800
dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
Conflicts:
dix/dispatch.c
---
nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
index 3d9ee8c..e5bec8a 100644
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2618,7 +2618,9 @@ ProcPutImage(register ClientPtr client)
tmpImage = (char *)&stuff[1];
lengthProto = length;
-
+ if (lengthProto >= (INT32_MAX / stuff->height))
+ return BadLength;
+
if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +
(sizeof(xPutImageReq) >> 2)) != client->req_len)
return BadLength;
--
Alioth's /srv/git/code.x2go.org/nx-libs.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list