dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]

ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c

dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]
8623faa4 · Alan Coopersmith · Mike DePaulo · c2298e07 · 8623faa4
Commit 8623faa4 authored Jan 22, 2014 by Alan Coopersmith Committed by Mike DePaulo May 30, 2015
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 0 deletions

NXdispatch.c nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c +2 -0

No files found.
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2618,6 +2618,8 @@ ProcPutImage(register ClientPtr client)

    tmpImage = (char *)&stuff[1];
    lengthProto = length;
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;

    if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
 	(sizeof(xPutImageReq) >> 2)) != client->req_len)