os: Check for integer overflow on BigRequest length

Check for another possible integer overflow once we get a complete xReq
with BigRequest.

Related to CVE-2025-49176

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>
This commit is contained in:
Olivier Fourdan 2025-06-18 08:39:02 +02:00 committed by Enrico Weigelt, metux IT consult
parent b393d5fc02
commit 899afa4c10

View File

@ -395,6 +395,8 @@ ReadRequestFromClient(ClientPtr client)
needed = get_big_req_len(request, client); needed = get_big_req_len(request, client);
} }
client->req_len = needed; client->req_len = needed;
if (needed > MAXINT >> 2)
return -(BadLength);
needed <<= 2; needed <<= 2;
} }
if (gotnow < needed) { if (gotnow < needed) {