xserver: Branch 'master'

Adam Jackson ajax at kemper.freedesktop.org
Thu Sep 24 10:47:09 PDT 2015 

 hw/xfree86/dri2/dri2ext.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

New commits:
commit 6ca496b7c3ccfd677c8c1bee88cc509a5e3c9e04
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Mon Sep 21 22:36:41 2015 -0700

    dri2: better checks for integer overflow in GetBuffers*
    
    Check for integer overflow before using stuff->count in a multiplication,
    to avoid compiler optimizing out due to undefined behaviour, but only
    after we've checked to make sure stuff->count is in the range of the
    request we're parsing.
    
    Reported-by: jes at posteo.de
    Reviewed-by: Adam Jackson <ajax at redhat.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index 221ec53..520b7cf 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -269,9 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client)
     int status, width, height, count;
     unsigned int *attachments;
 
-    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
-    if (stuff->count > (INT_MAX / 4))
+    REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
+    /* stuff->count is a count of CARD32 attachments that follows */
+    if (stuff->count > (INT_MAX / sizeof(CARD32)))
         return BadLength;
+    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * sizeof(CARD32));
 
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
@@ -297,7 +299,13 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client)
     int status, width, height, count;
     unsigned int *attachments;
 
-    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4));
+    REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
+    /* stuff->count is a count of pairs of CARD32s (attachments & formats)
+       that follows */
+    if (stuff->count > (INT_MAX / (2 * sizeof(CARD32))))
+        return BadLength;
+    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq,
+                       stuff->count * (2 * sizeof(CARD32)));
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
         return status;

More information about the xorg-commit mailing list