summaryrefslogtreecommitdiff
path: root/xserver
diff options
context:
space:
mode:
authorMatthieu Herrb <matthieu@cvs.openbsd.org>2017-10-14 09:29:02 +0000
committerMatthieu Herrb <matthieu@cvs.openbsd.org>2017-10-14 09:29:02 +0000
commitb4b7583e4192704b1003424d68c1b3bf525b6c2e (patch)
tree0ff4b3da6fa8cd051fb2372610c0e7926b3831b3 /xserver
parent7a8b8272d7cc3487b1c99f798e7c7a0a98617898 (diff)
MFC: Xi: Test exact size of XIBarrierReleasePointer
Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.
Diffstat (limited to 'xserver')
-rw-r--r--xserver/Xi/xibarriers.c9
1 files changed, 6 insertions, 3 deletions
diff --git a/xserver/Xi/xibarriers.c b/xserver/Xi/xibarriers.c
index a8b92cc18..0bc5761f3 100644
--- a/xserver/Xi/xibarriers.c
+++ b/xserver/Xi/xibarriers.c
@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST(xXIBarrierReleasePointerReq);
int i;
- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
-
swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+
swapl(&stuff->num_barriers);
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
+
+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid);
swapl(&info->barrier);
@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq);
- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-29 11:55:59 +0000