Fix from X.Org for CVE-2007-6429 - MIT-SHM and EVI extensions integer overflows.

1 files changed, 14 insertions, 1 deletions

diff --git a/xserver/Xext/EVI.c b/xserver/Xext/EVI.c
index 8fe3481d4..13bd32aee 100644
--- a/xserver/Xext/EVI.c
+++ b/xserver/Xext/EVI.c
@@ -34,6 +34,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
 #include <X11/extensions/XEVIstr.h>
 #include "EVIstruct.h"
 #include "modinit.h"
+#include "scrnintstr.h"
 
 #if 0
 static unsigned char XEVIReqCode = 0;
@@ -87,10 +88,22 @@ ProcEVIGetVisualInfo(ClientPtr client)
 {
     REQUEST(xEVIGetVisualInfoReq);
     xEVIGetVisualInfoReply rep;
-    int n, n_conflict, n_info, sz_info, sz_conflict;
+    int i, n, n_conflict, n_info, sz_info, sz_conflict;
     VisualID32 *conflict;
+    unsigned int total_visuals = 0;
     xExtendedVisualInfo *eviInfo;
     int status;
+
+    /*
+     * do this first, otherwise REQUEST_FIXED_SIZE can overflow.  we assume
+     * here that you don't have more than 2^32 visuals over all your screens;
+     * this seems like a safe assumption.
+     */
+    for (i = 0; i < screenInfo.numScreens; i++)
+	total_visuals += screenInfo.screens[i]->numVisuals;
+    if (stuff->n_visual > total_visuals)
+	return BadValue;
+
     REQUEST_FIXED_SIZE(xEVIGetVisualInfoReq, stuff->n_visual * sz_VisualID32);
     status = eviPriv->getVisualInfo((VisualID32 *)&stuff[1], (int)stuff->n_visual,
 		&eviInfo, &n_info, &conflict, &n_conflict);