From acc5a83e0d813403fa0377d9ed405c3ca2f9a39d Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Mon, 28 Apr 2025 11:47:15 +0200 Subject: [PATCH xserver 5/6] record: Check for overflow in RecordSanityCheckRegisterClients() The RecordSanityCheckRegisterClients() checks for the request length, but does not check for integer overflow. A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length. To avoid the issue, explicitly check the number of clients against the limit of clients (which is much lower than an maximum integer value) and the number of protocol ranges (multiplied by the record length) do not exceed the maximum integer value. This way, we ensure that the final computation for the request length will not overflow the maximum integer limit. CVE-2025-49179 This issue was discovered by Nils Emmerich and reported by Julian Suleder via ERNW Vulnerability Disclosure. Signed-off-by: Olivier Fourdan Reviewed-by: Peter Hutterer (cherry picked from commit ea52403bf222f8bd6ee4c509bed5e34f0c789b00) --- record/record.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/record/record.c b/record/record.c index e123867a7..018e53f81 100644 --- a/record/record.c +++ b/record/record.c @@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. #include "inputstr.h" #include "eventconvert.h" #include "scrnintstr.h" +#include "opaque.h" #include #include @@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, int i; XID recordingClient; + /* LimitClients is 2048 at max, way less that MAXINT */ + if (stuff->nClients > LimitClients) + return BadValue; + + if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) + return BadValue; + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) return BadLength; -- 2.49.0