Commit 40c12a76 authored by Tobias Stoeckmann's avatar Tobias Stoeckmann Committed by Adam Jackson

record: Fix OOB access in ProcRecordUnregisterClients

If a client sends a RecordUnregisterClients request with an nClients
field larger than INT_MAX / 4, an integer overflow leads to an
out of boundary access in RecordSanityCheckClientSpecifiers.

An example line with libXtst would be:
XRecordUnregisterClients(dpy, rc, clients, 0x40000001);
Reviewed-by: Adam Jackson's avatarAdam Jackson <ajax@redhat.com>
parent 1ad23068
......@@ -1910,7 +1910,8 @@ ProcRecordUnregisterClients(ClientPtr client)
int i;
REQUEST_AT_LEAST_SIZE(xRecordUnregisterClientsReq);
if ((client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
if (INT_MAX / 4 < stuff->nClients ||
(client->req_len << 2) - SIZEOF(xRecordUnregisterClientsReq) !=
4 * stuff->nClients)
return BadLength;
VERIFY_CONTEXT(pContext, stuff->context, client);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment