From d943eaa6b8584e7ceebd73ee59bd84e99b09be5d Mon Sep 17 00:00:00 2001 From: Olivier Fourdan Date: Mon, 28 Apr 2025 11:47:15 +0200 Subject: [PATCH xserver 5/7] record: Check for overflow in RecordSanityCheckRegisterClients() The RecordSanityCheckRegisterClients() checks for the request length, but does not check for integer overflow. A client might send a very large value for either the number of clients or the number of protocol ranges that will cause an integer overflow in the request length computation, defeating the check for request length. To avoid the issue, explicitly check the number of clients against the limit of clients (which is much lower than an maximum integer value) and the number of protocol ranges (multiplied by the record length) do not exceed the maximum integer value. This way, we ensure that the final computation for the request length will not overflow the maximum integer limit. CVE-2025-49179 This issue was discovered by Nils Emmerich and reported by Julian Suleder via ERNW Vulnerability Disclosure. Signed-off-by: Olivier Fourdan Reviewed-by: Peter Hutterer (cherry picked from commit 2bde9ca49a8fd9a1e6697d5e7ef837870d66f5d4) Part-of: --- record/record.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/record/record.c b/record/record.c index a8aec23bd..afaceb55c 100644 --- a/record/record.c +++ b/record/record.c @@ -45,6 +45,7 @@ and Jim Haggerty of Metheus. #include "inputstr.h" #include "eventconvert.h" #include "scrnintstr.h" +#include "opaque.h" #include #include @@ -1298,6 +1299,13 @@ RecordSanityCheckRegisterClients(RecordContextPtr pContext, ClientPtr client, int i; XID recordingClient; + /* LimitClients is 2048 at max, way less that MAXINT */ + if (stuff->nClients > LimitClients) + return BadValue; + + if (stuff->nRanges > (MAXINT - 4 * stuff->nClients) / SIZEOF(xRecordRange)) + return BadValue; + if (((client->req_len << 2) - SIZEOF(xRecordRegisterClientsReq)) != 4 * stuff->nClients + SIZEOF(xRecordRange) * stuff->nRanges) return BadLength; -- 2.49.0