Bug 10001

Summary:

integer overflow in xc-misc [CVE-2007-1003]

Product:

xorg

Reporter:

Matthieu Herrb <matthieu.herrb>

Component:

Security

Assignee:

X.Org Security <xorg_security>

Status:

RESOLVED FIXED

QA Contact:

X.Org Security <xorg_security>

Severity:

normal

Priority:

high

CC:

alan.coopersmith, dberkholz

Version:

7.2 (2007.02)

Keywords:

security

Hardware:

All

OS:

All

URL:

http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

Whiteboard:

i915 platform:

i915 features:

Attachments:

Description	Flags
proposed patch	none

Description Matthieu Herrb 2007-02-16 14:02:36 UTC

iDefense reported an integer overflow in the xc-misc extension, in the ProcXCMiscGetXIDList() function. Moreover this function uses ALLOCATE_LOCAL (ie alloca()) on with a user-controlled paramter, which can lead to stack corruption.

Comment 1 Matthieu Herrb 2007-02-16 14:08:07 UTC

Created attachment 8757 [details] [review]
proposed patch

Like the dbe patch last time. Check for integer overflow and replace alloca() with Xalloc().
I glimpsed through other Xext uses of ALLOCATE_LOCAL() and didn't spot other cases where it's called with a multiplicative paramter that can be fully controlled by the client to cause an overflow. Other pair of eyes are welcome. (And there are more extensions to check).

Comment 2 Alan Coopersmith 2007-04-04 17:47:59 UTC

Matthieu integrated the fix into git head and released the security advisory,
so I'm marking this both FIXED and publically viewable.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.