MFC: dbe: Unvalidated variable-length request in

ProcDbeGetVisualInfo (CVE-2017-12177) v2: Protect against integer overflow (Alan Coopersmith)
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:33:49 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2017-10-14 09:33:49 +0000
commit: f45ab7df4422ed2519e6d3a553f59f3d7263c132 (patch)
tree: afff0bf70e2d0c36025d25f41f548758b7514567 /xserver
parent: 897ba3580e237cbae9c5e43232f81cf658c22dda (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/xserver/dbe/dbe.c b/xserver/dbe/dbe.c
index 23f7e164d..f31766f31 100644
--- a/xserver/dbe/dbe.c
+++ b/xserver/dbe/dbe.c
@@ -574,6 +574,9 @@ ProcDbeGetVisualInfo(ClientPtr client)
     XdbeScreenVisualInfo *pScrVisInfo;
 
     REQUEST_AT_LEAST_SIZE(xDbeGetVisualInfoReq);
+    if (stuff->n > UINT32_MAX / sizeof(CARD32))
+        return BadLength;
+    REQUEST_FIXED_SIZE(xDbeGetVisualInfoReq, stuff->n * sizeof(CARD32));
 
     if (stuff->n > UINT32_MAX / sizeof(DrawablePtr))
         return BadAlloc;
@@ -924,7 +927,7 @@ SProcDbeSwapBuffers(ClientPtr client)
 
     swapl(&stuff->n);
     if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
-        return BadAlloc;
+        return BadLength;
     REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
 
     if (stuff->n != 0) {
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:33:49 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2017-10-14 09:33:49 +0000
commit	f45ab7df4422ed2519e6d3a553f59f3d7263c132 (patch)
tree	afff0bf70e2d0c36025d25f41f548758b7514567 /xserver
parent	897ba3580e237cbae9c5e43232f81cf658c22dda (diff)