Fixes for various integer overflow problems from X.Org:

CVE-2008-2360 - RENDER Extension heap buffer overflow CVE-2008-2361 - RENDER Extension crash CVE-2008-2362 - RENDER Extension memory corruption CVE-2008-1379 - MIT-SHM arbitrary memory read CVE-2008-1377 - RECORD and Security extensions memory corruption
2025-12-10 11:19:04 +00:00 · 2008-06-11 15:39:26 +00:00
parent ef9d4b4b8c
commit 52218799b8
4 changed files with 40 additions and 12 deletions
--- a/xserver/record/record.c
+++ b/xserver/record/record.c
@@ -2656,7 +2656,7 @@ SProcRecordQueryVersion(ClientPtr client)
 } /* SProcRecordQueryVersion */


-static void
+static int
 SwapCreateRegister(xRecordRegisterClientsReq *stuff)
 {
    register char n;
@@ -2667,11 +2667,17 @@ SwapCreateRegister(xRecordRegisterClientsReq *stuff)
    swapl(&stuff->nClients, n);
    swapl(&stuff->nRanges, n);
    pClientID = (XID *)&stuff[1];
+    if (stuff->nClients > stuff->length - (sz_xRecordRegisterClientsReq >> 2))
+	return BadLength;
    for (i = 0; i < stuff->nClients; i++, pClientID++)
    {
 	swapl(pClientID, n);
    }
+    if (stuff->nRanges > stuff->length - (sz_xRecordRegisterClientsReq >> 2)
+	- stuff->nClients)
+	return BadLength;
    RecordSwapRanges((xRecordRange *)pClientID, stuff->nRanges);
+    return Success;
 } /* SwapCreateRegister */


@@ -2679,11 +2685,13 @@ static int
 SProcRecordCreateContext(ClientPtr client)
 {
    REQUEST(xRecordCreateContextReq);
+    int			status;
    register char 	n;

    swaps(&stuff->length, n);
    REQUEST_AT_LEAST_SIZE(xRecordCreateContextReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
    return ProcRecordCreateContext(client);
 } /* SProcRecordCreateContext */

@@ -2692,11 +2700,13 @@ static int
 SProcRecordRegisterClients(ClientPtr client)
 {
    REQUEST(xRecordRegisterClientsReq);
+    int			status;
    register char 	n;

    swaps(&stuff->length, n);
    REQUEST_AT_LEAST_SIZE(xRecordRegisterClientsReq);
-    SwapCreateRegister((pointer)stuff);
+    if ((status = SwapCreateRegister((pointer)stuff)) != Success)
+	return status;
    return ProcRecordRegisterClients(client);
 } /* SProcRecordRegisterClients */