xserver: Branch 'master'
Eric Anholt
anholt at kemper.freedesktop.org
Tue Oct 10 00:09:16 UTC 2017
os/io.c | 5 +++++
1 file changed, 5 insertions(+)
New commits:
commit 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9
Author: Michal Srb <msrb at suse.com>
Date: Fri Jul 7 17:04:03 2017 +0200
os: Make sure big requests have sufficient length.
A client can send a big request where the 32B "length" field has value
0. When the big request header is removed and the length corrected,
the value will underflow to 0xFFFFFFFF. Functions processing the
request later will think that the client sent much more data and may
touch memory beyond the receive buffer.
Signed-off-by: Eric Anholt <eric at anholt.net>
Reviewed-by: Peter Hutterer <peter.hutterer at who-t.net>
diff --git a/os/io.c b/os/io.c
index b0402912a..955c24924 100644
--- a/os/io.c
+++ b/os/io.c
@@ -441,6 +441,11 @@ ReadRequestFromClient(ClientPtr client)
if (!gotnow)
AvailableInput = oc;
if (move_header) {
+ if (client->req_len < bytes_to_int32(sizeof(xBigReq) - sizeof(xReq))) {
+ YieldControlDeath();
+ return -1;
+ }
+
request = (xReq *) oci->bufptr;
oci->bufptr += (sizeof(xBigReq) - sizeof(xReq));
*(xReq *) oci->bufptr = *request;
More information about the xorg-commit
mailing list