MFC: Xi: integer overflow and unvalidated length in

(S)ProcXIBarrierReleasePointer [jcristau: originally this patch fixed the same issue as commit 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the addition of these checks] This addresses CVE-2017-12179
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:30:51 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:30:51 +0000
commit: ddf3a6111cf80dba42a798331e0e6b5fdf19c6e2 (patch)
tree: 1bf6d7bc0ed928cf64e9fa4eca97e92e40e8a140 /xserver
parent: b4b7583e4192704b1003424d68c1b3bf525b6c2e (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/xserver/Xi/xibarriers.c b/xserver/Xi/xibarriers.c
index 0bc5761f3..b0a4a92a1 100644
--- a/xserver/Xi/xibarriers.c
+++ b/xserver/Xi/xibarriers.c
@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client)
     REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
 
     swapl(&stuff->num_barriers);
+    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+        return BadLength;
     REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
 
     info = (xXIBarrierReleasePointerInfo*) &stuff[1];
@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client)
     xXIBarrierReleasePointerInfo *info;
 
     REQUEST(xXIBarrierReleasePointerReq);
+    REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
+    if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
+        return BadLength;
     REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
 
     info = (xXIBarrierReleasePointerInfo*) &stuff[1];
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:30:51 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:30:51 +0000
commit	ddf3a6111cf80dba42a798331e0e6b5fdf19c6e2 (patch)
tree	1bf6d7bc0ed928cf64e9fa4eca97e92e40e8a140 /xserver
parent	b4b7583e4192704b1003424d68c1b3bf525b6c2e (diff)