XServer crashes when client passes bad offset in XvShmPutImage
Submitted by Joris Guisson
Assigned to Xorg Project Team
Description
We have encountered a crash in xorg on debian jessie (xorg-server-1.16.4).
Our client was sometimes passing a bogus shmaddr in XShmSegmentInfo, when calling XvShmPutImage. This results in a crash in ProcXvShmPutImage (Xext/xvdisp.c), in the following code:
width = stuff->width; height = stuff->height; size_needed = (*pPort->pAdaptor->ddQueryImageAttributes) (client, pPort, pImage, &width, &height, NULL, NULL); if ((size_needed + stuff->offset) > shmdesc->size) return BadAccess;
The if test is not good enough. If offset is big enough to cause a wrap around, size_needed + stuff->offset will be smaller then or equal shmdesc->size.
So an additional check to see if stuff->offset is smaller then shmdesc->size is needed here.