Fix potential corruption in mask_len handling

First: check for allocation failure on the mask.
XI2 requires that the mask is zeroed, so we can't just Data() the mask
provided by the client (it will pad) - we need a tmp buffer. Make sure that
doesn't fail.

Second:
req->mask_len is a uint16_t, so check against malicious mask_lens that would
cause us to corrupt memory on copy, as the code always allocates
req->mask_len * 4, but copies mask->mask_len bytes.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

0 files changed, 0 insertions, 0 deletions