[PATCH xserver] Fix OOB access in ProcRecordUnregisterClients

Tobias Stoeckmann tobias at stoeckmann.org
Sun Mar 19 16:55:07 UTC 2017


If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.

An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
---
 record/record.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/record/record.c b/record/record.c
index 3e8b497e7..fdcee7e00 100644
--- a/record/record.c
+++ b/record/record.c
@@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
     int i;
 
     REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
-    if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
+    if (INT_MAX / 4 < stuff->nClients ||
+        (client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
         4 * stuff->nClients)
         return BadLength;
     VERIFY_CONTEXT(pContext, stuff->context, client);
-- 
2.12.0



More information about the xorg-devel mailing list