frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xi: Test exact size of XIBarrierReleasePointer 

Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
Michal Srb 2017-07-07 17:21:46 +02:00 committed by Peter Hutterer
parent abb031e731
commit 211e05ac85
1 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
Xi/xibarriers.c
View File

@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client)
REQUEST(xXIBarrierReleasePointerReq); REQUEST(xXIBarrierReleasePointerReq);
int i; int i;
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
swaps(&stuff->length); swaps(&stuff->length);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
swapl(&stuff->num_barriers); swapl(&stuff->num_barriers);
REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) { for (i = 0; i < stuff->num_barriers; i++, info++) {
swaps(&info->deviceid); swaps(&info->deviceid);
swapl(&info->barrier); swapl(&info->barrier);
@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client)
xXIBarrierReleasePointerInfo *info; xXIBarrierReleasePointerInfo *info;
REQUEST(xXIBarrierReleasePointerReq); REQUEST(xXIBarrierReleasePointerReq);
REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
info = (xXIBarrierReleasePointerInfo*) &stuff[1]; info = (xXIBarrierReleasePointerInfo*) &stuff[1];
for (i = 0; i < stuff->num_barriers; i++, info++) { for (i = 0; i < stuff->num_barriers; i++, info++) {