10001 – integer overflow in xc-misc [CVE-2007-1003]

Bug 10001 - integer overflow in xc-misc [CVE-2007-1003]

Summary: integer overflow in xc-misc [CVE-2007-1003]

Status:	RESOLVED FIXED

Alias:	None

Product:	xorg
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	7.2 (2007.02)
Hardware:	All All

Importance:	high normal
Assignee:	X.Org Security
QA Contact:	X.Org Security

URL:	http://lists.freedesktop.org/archives...
Whiteboard:
Keywords:	security

Depends on:
Blocks:

Reported:	2007-02-16 14:02 UTC by Matthieu Herrb
Modified:	2007-12-10 21:33 UTC (History)
CC List:	2 users (show)

See Also:
i915 platform:
i915 features:

Attachments
proposed patch (1.05 KB, patch) 2007-02-16 14:08 UTC, Matthieu Herrb	no flags	Details \| Splinter Review
View All

Description Matthieu Herrb 2007-02-16 14:02:36 UTC

iDefense reported an integer overflow in the xc-misc extension, in the ProcXCMiscGetXIDList() function. Moreover this function uses ALLOCATE_LOCAL (ie alloca()) on with a user-controlled paramter, which can lead to stack corruption.

Comment 1 Matthieu Herrb 2007-02-16 14:08:07 UTC

Created attachment 8757 [details] [review]
proposed patch

Like the dbe patch last time. Check for integer overflow and replace alloca() with Xalloc().
I glimpsed through other Xext uses of ALLOCATE_LOCAL() and didn't spot other cases where it's called with a multiplicative paramter that can be fully controlled by the client to cause an overflow. Other pair of eyes are welcome. (And there are more extensions to check).

Comment 2 Alan Coopersmith 2007-04-04 17:47:59 UTC

Matthieu integrated the fix into git head and released the security advisory,
so I'm marking this both FIXED and publically viewable.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.