CVE-2008-1379 - MIT-SHM arbitrary memory read.

(This patch was missing form the bunch of security patches committed on june 11. noticed by brad@).
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-06-17 21:53:46 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-06-17 21:53:46 +0000
commit: 60c21fe8c605a7e42340b55a40ac3465a3fb18ce (patch)
tree: a3dcb68fa716e3cd21cbc5ecec64ec2bbcc81e70
parent: 013d3f13a1f57ea1fcf254baac3202651056eef7 (diff)
1 files changed, 11 insertions, 2 deletions
diff --git a/xserver/Xext/shm.c b/xserver/Xext/shm.c
index 3c0d1eef0..de908cfe8 100644
--- a/xserver/Xext/shm.c
+++ b/xserver/Xext/shm.c
@@ -848,8 +848,17 @@ ProcShmPutImage(client)
         return BadValue;
     }
 
-    VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
-		   client);
+    /* 
+     * There's a potential integer overflow in this check:
+     * VERIFY_SHMSIZE(shmdesc, stuff->offset, length * stuff->totalHeight,
+     *                client);
+     * the version below ought to avoid it
+     */
+    if (stuff->totalHeight != 0 && 
+	length > (shmdesc->size - stuff->offset)/stuff->totalHeight) {
+	client->errorValue = stuff->totalWidth;
+	return BadValue;
+    }
     if (stuff->srcX > stuff->totalWidth)
     {
 	client->errorValue = stuff->srcX;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-06-17 21:53:46 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-06-17 21:53:46 +0000
commit	60c21fe8c605a7e42340b55a40ac3465a3fb18ce (patch)
tree	a3dcb68fa716e3cd21cbc5ecec64ec2bbcc81e70
parent	013d3f13a1f57ea1fcf254baac3202651056eef7 (diff)