frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

(submit/fixup-req-len) Xext: security: fix length checking with bigreq 

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
This commit is contained in:
Enrico Weigelt, metux IT consult 2024-08-06 15:58:44 +02:00
parent a5f0f51d1e
commit 3b0db0df71
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Xext/security.c
View File

@ -637,10 +637,10 @@ SProcSecurityGenerateAuthorization(ClientPtr client)
values_offset = bytes_to_int32(stuff->nbytesAuthProto) + values_offset = bytes_to_int32(stuff->nbytesAuthProto) +
bytes_to_int32(stuff->nbytesAuthData); bytes_to_int32(stuff->nbytesAuthData);
if (values_offset > if (values_offset >
stuff->length - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq)) client->req_len - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
return BadLength; return BadLength;
values = (CARD32 *) (&stuff[1]) + values_offset; values = (CARD32 *) (&stuff[1]) + values_offset;
nvalues = (((CARD32 *) stuff) + stuff->length) - values; nvalues = (((CARD32 *) stuff) + client->req_len) - values;
SwapLongs(values, nvalues); SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client); return ProcSecurityGenerateAuthorization(client);
} /* SProcSecurityGenerateAuthorization */ } /* SProcSecurityGenerateAuthorization */