Commit 6ca496b7 authored by Alan Coopersmith's avatar Alan Coopersmith Committed by Adam Jackson

dri2: better checks for integer overflow in GetBuffers*

Check for integer overflow before using stuff->count in a multiplication,
to avoid compiler optimizing out due to undefined behaviour, but only
after we've checked to make sure stuff->count is in the range of the
request we're parsing.

Reported-by: jes@posteo.de
Reviewed-by: default avatarAdam Jackson <ajax@redhat.com>
Signed-off-by: default avatarAlan Coopersmith <alan.coopersmith@oracle.com>
parent 6c2c6fb5
......@@ -269,9 +269,11 @@ ProcDRI2GetBuffers(ClientPtr client)
int status, width, height, count;
unsigned int *attachments;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
if (stuff->count > (INT_MAX / 4))
REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
/* stuff->count is a count of CARD32 attachments that follows */
if (stuff->count > (INT_MAX / sizeof(CARD32)))
return BadLength;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * sizeof(CARD32));
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
&pDrawable, &status))
......@@ -297,7 +299,13 @@ ProcDRI2GetBuffersWithFormat(ClientPtr client)
int status, width, height, count;
unsigned int *attachments;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * (2 * 4));
REQUEST_AT_LEAST_SIZE(xDRI2GetBuffersReq);
/* stuff->count is a count of pairs of CARD32s (attachments & formats)
that follows */
if (stuff->count > (INT_MAX / (2 * sizeof(CARD32))))
return BadLength;
REQUEST_FIXED_SIZE(xDRI2GetBuffersReq,
stuff->count * (2 * sizeof(CARD32)));
if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
&pDrawable, &status))
return status;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment