|Summary:||4-byte buffer overflow in MakeBigReq|
|Product:||xorg||Reporter:||Karl Tomlinson <bugs.freedesktop>|
|Component:||Lib/Xlib||Assignee:||Xorg Project Team <xorg-team>|
|Status:||RESOLVED FIXED||QA Contact:||Xorg Project Team <xorg-team>|
|i915 platform:||i915 features:|
Description Karl Tomlinson 2012-10-29 04:48:24 UTC
Created attachment 69207 [details] [review] don't memmove the last word MakeBigReq() needs to make the request one 32-bit word larger (to squeeze in a larger length value). It saves the last word in _BRdat, to correctly append with a bufmax check in Data32(), but still memmoves the every word in the request after the first word. That is one too many words. One overflows (in certain situations).
Comment 1 Karl Tomlinson 2012-10-29 04:52:51 UTC
As this is a macro, of course all libraries that use the macro or SetReqLen to create large requests will need to be recompiled.
Comment 2 Karl Tomlinson 2012-10-29 04:54:53 UTC
The last memcpy in the WORD64 case looks wrong but I haven't tried to fix that bug.
Comment 3 Peter Hutterer 2013-02-18 01:19:30 UTC
Confirmed and I have a reliable reproducer here. Requirement for the overrun is that the fixed-length bit of the request is aligned at the end of the dpy buffer.
Comment 4 Alan Coopersmith 2013-03-09 01:44:21 UTC
Patch pushed to git master: http://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=39547d600a13713e15429f49768e54c3173c828d