xserver: Branch 'master'
Adam Jackson
ajax at kemper.freedesktop.org
Mon Mar 20 19:28:46 UTC 2017
record/record.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
New commits:
commit 40c12a76c2ae57adefd3b1d412387ebbfe2fb784
Author: Tobias Stoeckmann <tobias at stoeckmann.org>
Date: Sun Mar 19 17:55:07 2017 +0100
record: Fix OOB access in ProcRecordUnregisterClients
If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.
An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
Reviewed-by: Adam Jackson <ajax at redhat.com>
diff --git a/record/record.c b/record/record.c
index 3e8b497e7..fdcee7e00 100644
--- a/record/record.c
+++ b/record/record.c
@@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
int i;
REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
- if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
+ if (INT_MAX / 4 < stuff->nClients ||
+ (client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
4 * stuff->nClients)
return BadLength;
VERIFY_CONTEXT(pContext, stuff->context, client);
More information about the xorg-commit
mailing list