Bug 10001

Summary: integer overflow in xc-misc [CVE-2007-1003]
Product: xorg Reporter: Matthieu Herrb <matthieu.herrb>
Component: SecurityAssignee: X.Org Security <xorg_security>
Status: RESOLVED FIXED QA Contact: X.Org Security <xorg_security>
Severity: normal    
Priority: high CC: alan.coopersmith, dberkholz
Version: 7.2 (2007.02)Keywords: security
Hardware: All   
OS: All   
URL: http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html
i915 platform: i915 features:
Description Flags
proposed patch none

Description Matthieu Herrb 2007-02-16 14:02:36 UTC
iDefense reported an integer overflow in the xc-misc extension, in the ProcXCMiscGetXIDList() function. Moreover this function uses ALLOCATE_LOCAL (ie alloca()) on with a user-controlled paramter, which can lead to stack corruption.
Comment 1 Matthieu Herrb 2007-02-16 14:08:07 UTC
Created attachment 8757 [details] [review]
proposed patch

Like the dbe patch last time. Check for integer overflow and replace alloca() with Xalloc().
I glimpsed through other Xext uses of ALLOCATE_LOCAL() and didn't spot other cases where it's called with a multiplicative paramter that can be fully controlled by the client to cause an overflow. Other pair of eyes are welcome. (And there are more extensions to check).
Comment 2 Alan Coopersmith 2007-04-04 17:47:59 UTC
Matthieu integrated the fix into git head and released the security advisory,
so I'm marking this both FIXED and publically viewable.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.