Unvalidated lengths

v2: Add overflow check and remove unnecessary check (Julien Cristau) This addresses: CVE-2017-12184 in XINERAMA CVE-2017-12185 in MIT-SCREEN-SAVER CVE-2017-12186 in X-Resource CVE-2017-12187 in RENDER Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Nathan Kidd <nkidd@opentext.com> Signed-off-by: Julien Cristau <jcristau@debian.org>
author: Nathan Kidd <nkidd@opentext.com> 2015-01-09 09:57:23 -0500
committer: Julien Cristau <jcristau@debian.org> 2017-10-10 23:33:34 +0200
commit: cad5a1050b7184d828aef9c1dd151c3ab649d37e (patch)
tree: da13a3b46374c231b5aefe1fcb2f53714be3fc47 /render/render.c
parent: 9c23685009aa96f4b861dcc5d2e01dbee00c4dd9 (diff)
download: xserver-cad5a1050b7184d828aef9c1dd151c3ab649d37e.tar.gz
1 files changed, 3 insertions, 0 deletions
diff --git a/render/render.c b/render/render.c
index ccae49a41..7d94bd5ff 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
     name = (char *) (stuff + 1);
     params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
     nparams = ((xFixed *) stuff + client->req_len) - params;
+    if (nparams < 0)
+	return BadLength;
+
     result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
     return result;
 }
author	Nathan Kidd <nkidd@opentext.com>	2015-01-09 09:57:23 -0500
committer	Julien Cristau <jcristau@debian.org>	2017-10-10 23:33:34 +0200
commit	cad5a1050b7184d828aef9c1dd151c3ab649d37e (patch)
tree	da13a3b46374c231b5aefe1fcb2f53714be3fc47 /render/render.c
parent	9c23685009aa96f4b861dcc5d2e01dbee00c4dd9 (diff)
download	xserver-cad5a1050b7184d828aef9c1dd151c3ab649d37e.tar.gz