394dd6cf99
Resolves: https://issues.redhat.com/browse/RHEL-97278 Resolves: https://issues.redhat.com/browse/RHEL-97299 Resolves: https://issues.redhat.com/browse/RHEL-97374 Resolves: https://issues.redhat.com/browse/RHEL-97417 Resolves: https://issues.redhat.com/browse/RHEL-97249
42 lines
1.4 KiB
Diff
42 lines
1.4 KiB
Diff
From b33673deffe92ff7d5b4be5dd944eed2718ee3a0 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Tue, 20 May 2025 15:18:19 +0200
|
|
Subject: [PATCH xserver 6/6] randr: Check for overflow in
|
|
RRChangeProviderProperty()
|
|
|
|
A client might send a request causing an integer overflow when computing
|
|
the total size to allocate in RRChangeProviderProperty().
|
|
|
|
To avoid the issue, check that total length in bytes won't exceed the
|
|
maximum integer value.
|
|
|
|
CVE-2025-49180
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
(cherry picked from commit 1b0bf563a3a76b06ddcd6fc4d8e72d81f6773699)
|
|
---
|
|
randr/rrproviderproperty.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
|
index b79c17f9b..7088570ee 100644
|
|
--- a/randr/rrproviderproperty.c
|
|
+++ b/randr/rrproviderproperty.c
|
|
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
|
|
|
|
if (mode == PropModeReplace || len > 0) {
|
|
void *new_data = NULL, *old_data = NULL;
|
|
-
|
|
+ if (total_len > MAXINT / size_in_bytes)
|
|
+ return BadValue;
|
|
total_size = total_len * size_in_bytes;
|
|
new_value.data = (void *) malloc(total_size);
|
|
if (!new_value.data && total_size) {
|
|
--
|
|
2.49.0
|
|
|