From da5f8d197fc25d898212714c653d66a91cbae7ab Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Mon, 28 Apr 2025 11:47:15 +0200 Subject: [PATCH] record: Check for overflow in RecordSanityCheckRegisterClients() The RecordSanityCheckRegisterClients() checks for the request length, but does not check for integer overflow. A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length. To avoid the issue, explicitly check the number of clients against the limit of clients (which is much lower than an maximum integer value) and the number of protocol ranges (multiplied by the record length) do not exceed the maximum integer value. This way, we ensure that the final computation for the request length will not overflow the maximum integer limit. CVE-2025-49179 This issue was discovered by Nils Emmerich and reported by Julian Suleder via ERNW Vulnerability Disclosure. Signed-off-by: Olivier Fourdan Reviewed-by: Peter Hutterer Part-of: --- record/record.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/record/record.c b/record/record.c index c2bfbfbe1..45f531545 100644 --- a/record/record.c +++ b/record/record.c @@ -46,6 +46,7 @@ and Jim Haggerty of Metheus. #include "dix/resource_priv.h" #include "miext/extinit_priv.h" #include "os/client_priv.h" +#include "os/osdep.h" #include "Xext/panoramiX.h" #include "Xext/panoramiXsrv.h" @@ -1299,6 +1300,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, int i; XID recordingClient; + /* LimitClients is 2048 at max, way less that MAXINT */ + if (stuff->nClients > LimitClients) + return BadValue; + + if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) + return BadValue; + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) return BadLength;