Commit 2ef42519 authored by Alan Coopersmith's avatar Alan Coopersmith

dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]

ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.

SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc.  While doing the swapping, the
length field is not validated, which can cause memory corruption.

v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
Reported-by: default avatarIlja Van Sprundel <>
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <>
Reviewed-by: Peter Hutterer's avatarPeter Hutterer <>
parent 6692670f
......@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
DbeSwapInfoPtr swapInfo;
xDbeSwapInfo *dbeSwapInfo;
int error;
register int i, j;
int nStuff;
unsigned int i, j;
unsigned int nStuff;
nStuff = stuff->n; /* use local variable for performance. */
if (nStuff == 0) {
return Success;
if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
return BadAlloc;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
/* Get to the swap info appended to the end of the request. */
dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
......@@ -914,13 +916,16 @@ static int
SProcDbeSwapBuffers(ClientPtr client)
register int i;
unsigned int i;
xDbeSwapInfo *pSwapInfo;
if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
return BadAlloc;
REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
if (stuff->n != 0) {
pSwapInfo = (xDbeSwapInfo *) stuff + 1;
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment