frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xi: extra length checking for requests providing masks. 

masks can be of arbitrary length. If the client did not initialize mask_len,
some sort of boundary check is needed to avoid running over memory.

Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
This commit is contained in:
Peter Hutterer 2009-09-01 15:16:17 +10:00
parent 0e4dd3b2d2
commit 58c298acc1
1 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
Xi/xiselectev.c
View File

@ -69,6 +69,7 @@ ProcXISelectEvents(ClientPtr client)
DeviceIntRec dummy;
xXIEventMask *evmask;
int *types = NULL;
int len;
REQUEST(xXISelectEventsReq);
REQUEST_AT_LEAST_SIZE(xXISelectEventsReq);
@ -80,11 +81,18 @@ ProcXISelectEvents(ClientPtr client)
if (rc != Success)
return rc;
len = sz_xXISelectEventsReq;
/* check request validity */
evmask = (xXIEventMask*)&stuff[1];
num_masks = stuff->num_masks;
while(num_masks--)
{
len += sizeof(xXIEventMask) + evmask->mask_len * 4;
if (bytes_to_int32(len) > stuff->length)
return BadLength;
if (evmask->deviceid != XIAllDevices &&
evmask->deviceid != XIAllMasterDevices)
rc = dixLookupDevice(&dev, evmask->deviceid, client, DixUseAccess);
@ -128,6 +136,9 @@ ProcXISelectEvents(ClientPtr client)
evmask++;
}
if (bytes_to_int32(len) != stuff->length)
return BadLength;
/* Set masks on window */
evmask = (xXIEventMask*)&stuff[1];
num_masks = stuff->num_masks;