xserver: Branch 'master' - 2 commits
Matthieu Herrb
herrb at kemper.freedesktop.org
Tue Apr 3 17:05:45 EEST 2007
Xext/xcmisc.c | 13 +++++++++++--
1 files changed, 11 insertions(+), 2 deletions(-)
New commits:
diff-tree 1cc8db72816cd079f30255046e10043c350bf683 (from parents)
Merge: 645d87cf8ef724d4591614f9994cdc4d7549a7a8 a39f297ada4fa87c858395ae2aacefac5f8fba05
Author: Matthieu Herrb <matthieu at roadrock.(none)>
Date: Tue Apr 3 16:04:45 2007 +0200
Merge branch 'master' of ssh://herrb@git.freedesktop.org/git/xorg/xserver
diff-tree 645d87cf8ef724d4591614f9994cdc4d7549a7a8 (from f2808005f4ee72c5fd7f5f3dcca181306485113e)
Author: Matthieu Herrb <matthieu at roadrock.(none)>
Date: Tue Apr 3 15:47:18 2007 +0200
CVE-2007-1003: XC-MISC Extension ProcXCMiscGetXIDList() Memory Corruption
diff --git a/Xext/xcmisc.c b/Xext/xcmisc.c
index f26218e..8c7a86e 100644
--- a/Xext/xcmisc.c
+++ b/Xext/xcmisc.c
@@ -42,6 +42,12 @@ from The Open Group.
#include <X11/extensions/xcmiscstr.h>
#include "modinit.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
#if 0
static unsigned char XCMiscCode;
#endif
@@ -143,7 +149,10 @@ ProcXCMiscGetXIDList(client)
REQUEST_SIZE_MATCH(xXCMiscGetXIDListReq);
- pids = (XID *)ALLOCATE_LOCAL(stuff->count * sizeof(XID));
+ if (stuff->count > UINT32_MAX / sizeof(XID))
+ return BadAlloc;
+
+ pids = (XID *)Xalloc(stuff->count * sizeof(XID));
if (!pids)
{
return BadAlloc;
@@ -164,7 +173,7 @@ ProcXCMiscGetXIDList(client)
client->pSwapReplyFunc = (ReplySwapPtr) Swap32Write;
WriteSwappedDataToClient(client, count * sizeof(XID), pids);
}
- DEALLOCATE_LOCAL(pids);
+ Xfree(pids);
return(client->noClientException);
}
More information about the xorg-commit
mailing list