frederik
/
xserver
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Xext: security: fix length checking with bigreq 

The authorative source of the request frame size is client->req_len,
especially with big requests larger than 2^18 bytes.

Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/1639>
This commit is contained in:
Enrico Weigelt, metux IT consult 2024-08-06 15:58:44 +02:00 committed by Marge Bot
parent bacc4b1477
commit 67a3319d73
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Xext/security.c
View File

@ -636,10 +636,10 @@ SProcSecurityGenerateAuthorization(ClientPtr client)
values_offset = bytes_to_int32(stuff->nbytesAuthProto) + values_offset = bytes_to_int32(stuff->nbytesAuthProto) +
bytes_to_int32(stuff->nbytesAuthData); bytes_to_int32(stuff->nbytesAuthData);
if (values_offset > if (values_offset >
stuff->length - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq)) client->req_len - bytes_to_int32(sz_xSecurityGenerateAuthorizationReq))
return BadLength; return BadLength;
values = (CARD32 *) (&stuff[1]) + values_offset; values = (CARD32 *) (&stuff[1]) + values_offset;
nvalues = (((CARD32 *) stuff) + stuff->length) - values; nvalues = (((CARD32 *) stuff) + client->req_len) - values;
SwapLongs(values, nvalues); SwapLongs(values, nvalues);
return ProcSecurityGenerateAuthorization(client); return ProcSecurityGenerateAuthorization(client);
} /* SProcSecurityGenerateAuthorization */ } /* SProcSecurityGenerateAuthorization */