da5f8d197f
The RecordSanityCheckRegisterClients() checks for the request length, but does not check for integer overflow. A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length. To avoid the issue, explicitly check the number of clients against the limit of clients (which is much lower than an maximum integer value) and the number of protocol ranges (multiplied by the record length) do not exceed the maximum integer value. This way, we ensure that the final computation for the request length will not overflow the maximum integer limit. CVE-2025-49179 This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and reported by Julian Suleder via ERNW Vulnerability Disclosure. Signed-off-by: Olivier Fourdan <ofourdan@redhat.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2024> |
||
|---|---|---|
| .. | ||
| meson.build | ||
| record.c | ||
| set.c | ||
| set.h | ||