xserver: Branch 'master'
Adam Jackson
ajax at kemper.freedesktop.org
Mon Mar 13 20:58:09 UTC 2017
render/render.c | 4 ++++
1 file changed, 4 insertions(+)
New commits:
commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Mon Mar 13 19:13:14 2017 +0100
render: Fix out of boundary heap access
ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
be protected against an integer overflow during length check. This is
already included in ProcRenderCreateLinearGradient since the fix for
CVE-2008-2362.
This can only be successfully exploited on a 32 bit system for an
out of boundary read later on. Validated by using ASAN.
Reviewed-by: Adam Jackson <ajax at redhat.com>
diff --git a/render/render.c b/render/render.c
index 8dc1f34..ccae49a 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1908,6 +1908,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
@@ -1946,6 +1948,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
LEGAL_NEW_RESOURCE(stuff->pid, client);
len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+ if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+ return BadLength;
if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
return BadLength;
More information about the xorg-commit
mailing list