frederik
/
libxcb
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix integer overflows in xcb_in.c 

This fixes an integer overflow security vulnerability in xcb_in.c, which
may allow for memory corruption.
This commit is contained in:
Demi Marie Obenour 2021-09-23 16:46:32 -04:00
parent 233d7b7f1f
commit 43fbf03e54
1 changed files with 9 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/xcb_in.c
View File

@ -239,9 +239,15 @@ static int read_packet(xcb_connection_t *c)
if(pend && pend->workaround == WORKAROUND_GLX_GET_FB_CONFIGS_BUG)
{
uint32_t *p = (uint32_t *) c->in.queue;
genrep.length = p[2] * p[3] * 2;
uint64_t new_length = ((uint64_t)p[2]) * ((uint64_t)p[3]);
if(new_length >= (UINT32_MAX / UINT32_C(16)))
{
_xcb_conn_shutdown(c, XCB_CONN_CLOSED_MEM_INSUFFICIENT);
return 0;
}
length += genrep.length * 4;
genrep.length = (uint32_t)(new_length * UINT64_C(2));
}
length += genrep.length * UINT64_C(4);
/* XXX a bit of a hack -- we "know" that all FD replys place
* the number of fds in the pad0 byte */
@ -251,7 +257,7 @@ static int read_packet(xcb_connection_t *c)
/* XGE events may have sizes > 32 */
if ((genrep.response_type & 0x7f) == XCB_XGE_EVENT)
eventlength = genrep.length * 4;
eventlength = genrep.length * UINT64_C(4);
bufsize = length + eventlength + nfd * sizeof(int) +
(genrep.response_type == XCB_REPLY ? 0 : sizeof(uint32_t));