38 lines
1.4 KiB
Diff
38 lines
1.4 KiB
Diff
|
From ca652633c02ceb054143207d71d24a8123733c27 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Olivier Fourdan <ofourdan@redhat.com>
|
||
|
|
Date: Tue, 20 May 2025 15:18:19 +0200
|
||
|
|
Subject: [PATCH xserver 1/2] randr: Check for overflow in
|
||
|
|
RRChangeProviderProperty()
|
||
|
|
|
||
|
|
A client might send a request causing an integer overflow when computing
|
||
|
|
the total size to allocate in RRChangeProviderProperty().
|
||
|
|
|
||
|
|
To avoid the issue, check that total length in bytes won't exceed the
|
||
|
|
maximum integer value.
|
||
|
|
|
||
|
|
CVE-2025-49180
|
||
|
|
|
||
|
|
This issue was discovered by Nils Emmerich <nemmerich@ernw.de> and
|
||
|
|
reported by Julian Suleder via ERNW Vulnerability Disclosure.
|
||
|
|
|
||
|
|
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
|
||
|
|
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
||
|
|
---
|
||
|
|
randr/rrproviderproperty.c | 3 ++-
|
||
|
|
1 file changed, 2 insertions(+), 1 deletion(-)
|
||
|
|
|
||
|
|
Index: xorg-server-21.1.15/randr/rrproviderproperty.c
|
||
|
|
===================================================================
|
||
|
|
--- xorg-server-21.1.15.orig/randr/rrproviderproperty.c
|
||
|
|
+++ xorg-server-21.1.15/randr/rrproviderproperty.c
|
||
|
|
@@ -179,7 +179,8 @@ RRChangeProviderProperty(RRProviderPtr p
|
||
|
|
|
||
|
|
if (mode == PropModeReplace || len > 0) {
|
||
|
|
void *new_data = NULL, *old_data = NULL;
|
||
|
|
-
|
||
|
|
+ if (total_len > MAXINT / size_in_bytes)
|
||
|
|
+ return BadValue;
|
||
|
|
total_size = total_len * size_in_bytes;
|
||
|
|
new_value.data = (void *) malloc(total_size);
|
||
|
|
if (!new_value.data && total_size) {
|