[PATCH:xserver] dri2: better checks for integer overflow in GetBuffers*

Mon, 21 Sep 2015 22:37:10 -0700 

Check for integer overflow before using stuff->count in a multiplication,
to avoid compiler optimizing out due to undefined behaviour, but only
after we've checked to make sure stuff->count is in the range of the
request we're parsing.

Reported-by: [email protected]
Signed-off-by: Alan Coopersmith <[email protected]>
---

An improved version of the patch Jan submitted as
http://lists.x.org/archives/xorg-devel/2014-December/044878.html
which I've had sitting in a tree for months and apparently forgot
to actually send in.

 hw/xfree86/dri2/dri2ext.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index 221ec53..520b7cf 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -269,9 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client)
     int status, width, height, count;
     unsigned int *attachments;
 
-    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
-    if (stuff->count > (INT_MAX / 4))
+    REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
+    /* stuff->count is a count of CARD32 attachments that follows */
+    if (stuff->count > (INT_MAX / sizeof(CARD32)))
         return BadLength;
+    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * sizeof(CARD32));
 
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
@@ -297,7 +299,13 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client)
     int status, width, height, count;
     unsigned int *attachments;
 
-    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4));
+    REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
+    /* stuff->count is a count of pairs of CARD32s (attachments & formats)
+       that follows */
+    if (stuff->count > (INT_MAX / (2 * sizeof(CARD32))))
+        return BadLength;
+    REQUEST_FIXED_SIZE(xDRI2GetBuffersReq,
+                       stuff->count * (2 * sizeof(CARD32)));
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
         return status;
-- 
1.7.9.2

_______________________________________________
[email protected]: X.Org development
Archives: http://lists.x.org/archives/xorg-devel
Info: http://lists.x.org/mailman/listinfo/xorg-devel

Reply via email to