Protocol handling issues in X Window System servers

One year after Ilja van Sprundel, discovered and reported a large number of issues in the way the X server code base handles requests from X clients, they have been fixed.
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2014-12-09 17:58:54 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2014-12-09 17:58:54 +0000
commit: a585be1a395b9a0636f34b828859cd8031741633 (patch)
tree: b6a2594689d1bd1cb681cc19917563b4316e6d0a /xserver/dix/dispatch.c
parent: 41d594947842df4658fc39cfc15d2c3514548cbe (diff)
1 files changed, 3 insertions, 0 deletions
diff --git a/xserver/dix/dispatch.c b/xserver/dix/dispatch.c
index 4f830f7f4..01820bc0f 100644
--- a/xserver/dix/dispatch.c
+++ b/xserver/dix/dispatch.c
@@ -1956,6 +1956,9 @@ ProcPutImage(ClientPtr client)
     tmpImage = (char *) &stuff[1];
     lengthProto = length;
 
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if ((bytes_to_int32(lengthProto * stuff->height) +
          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
         return BadLength;
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2014-12-09 17:58:54 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2014-12-09 17:58:54 +0000
commit	a585be1a395b9a0636f34b828859cd8031741633 (patch)
tree	b6a2594689d1bd1cb681cc19917563b4316e6d0a /xserver/dix/dispatch.c
parent	41d594947842df4658fc39cfc15d2c3514548cbe (diff)