Bug 10001 - integer overflow in xc-misc [CVE-2007-1003]
Summary: integer overflow in xc-misc [CVE-2007-1003]
Alias: None
Product: xorg
Classification: Unclassified
Component: Security (show other bugs)
Version: 7.2 (2007.02)
Hardware: All All
: high normal
Assignee: X.Org Security
QA Contact: X.Org Security
URL: http://lists.freedesktop.org/archives...
Keywords: security
Depends on:
Reported: 2007-02-16 14:02 UTC by Matthieu Herrb
Modified: 2007-12-10 21:33 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

proposed patch (1.05 KB, patch)
2007-02-16 14:08 UTC, Matthieu Herrb
no flags Details | Splinter Review

Description Matthieu Herrb 2007-02-16 14:02:36 UTC
iDefense reported an integer overflow in the xc-misc extension, in the ProcXCMiscGetXIDList() function. Moreover this function uses ALLOCATE_LOCAL (ie alloca()) on with a user-controlled paramter, which can lead to stack corruption.
Comment 1 Matthieu Herrb 2007-02-16 14:08:07 UTC
Created attachment 8757 [details] [review]
proposed patch

Like the dbe patch last time. Check for integer overflow and replace alloca() with Xalloc().
I glimpsed through other Xext uses of ALLOCATE_LOCAL() and didn't spot other cases where it's called with a multiplicative paramter that can be fully controlled by the client to cause an overflow. Other pair of eyes are welcome. (And there are more extensions to check).
Comment 2 Alan Coopersmith 2007-04-04 17:47:59 UTC
Matthieu integrated the fix into git head and released the security advisory,
so I'm marking this both FIXED and publically viewable.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.