44 lines
1.5 KiB
Diff
44 lines
1.5 KiB
Diff
From 3d44c08d94e850769d7d16fce0596536370253b1 Mon Sep 17 00:00:00 2001
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
|
Date: Tue, 20 May 2025 15:18:19 +0200
|
|
Subject: [PATCH xserver 6/7] randr: Check for overflow in
|
|
RRChangeProviderProperty()
|
|
|
|
A client might send a request causing an integer overflow when computing
|
|
the total size to allocate in RRChangeProviderProperty().
|
|
|
|
To avoid the issue, check that total length in bytes won't exceed the
|
|
maximum integer value.
|
|
|
|
CVE-2025-49180
|
|
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
|
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
(cherry picked from commit 3c3a4b767b16174d3213055947ea7f4f88e10ec6)
|
|
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2025>
|
|
---
|
|
randr/rrproviderproperty.c | 3 ++-
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/randr/rrproviderproperty.c b/randr/rrproviderproperty.c
|
|
index b79c17f9b..7088570ee 100644
|
|
--- a/randr/rrproviderproperty.c
|
|
+++ b/randr/rrproviderproperty.c
|
|
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr provider, Atom property, Atom type,
|
|
|
|
if (mode == PropModeReplace || len > 0) {
|
|
void *new_data = NULL, *old_data = NULL;
|
|
-
|
|
+ if (total_len > MAXINT / size_in_bytes)
|
|
+ return BadValue;
|
|
total_size = total_len * size_in_bytes;
|
|
new_value.data = (void *) malloc(total_size);
|
|
if (!new_value.data && total_size) {
|
|
--
|
|
2.49.0
|
|
|