summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTobias Stoeckmann <tobias@stoeckmann.org>2016-09-25 22:38:44 +0200
committerMatthieu Herrb <matthieu@herrb.eu>2016-09-25 22:38:44 +0200
commit61c1039ee23a2d1de712843bed3480654d7ef42e (patch)
tree68b14ad812f4ee9cae7b376a0ae736b72b82bcbc
parentb2406ed9031991b7ddc5b76b308623afc8a590c5 (diff)
Integer overflow on illegal server response
The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In that case the client won't read the whole data from server, getting out of sync. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
-rw-r--r--src/Region.c15
1 files changed, 12 insertions, 3 deletions
diff --git a/src/Region.c b/src/Region.c
index cb0cf6e..59bcc1a 100644
--- a/src/Region.c
+++ b/src/Region.c
@@ -23,6 +23,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <limits.h>
#include "Xfixesint.h"
XserverRegion
@@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display *dpy,
bounds->y = rep.y;
bounds->width = rep.width;
bounds->height = rep.height;
- nbytes = (long) rep.length << 2;
- nrects = rep.length >> 1;
- rects = Xmalloc (nrects * sizeof (XRectangle));
+
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = (long) rep.length << 2;
+ nrects = rep.length >> 1;
+ rects = Xmalloc (nrects * sizeof (XRectangle));
+ } else {
+ nbytes = 0;
+ nrects = 0;
+ rects = NULL;
+ }
+
if (!rects)
{
_XEatDataWords(dpy, rep.length);