Bug 10001 - integer overflow in xc-misc [CVE-2007-1003]
Summary: integer overflow in xc-misc [CVE-2007-1003]
Alias: None
Product: xorg
Classification: Unclassified
Component: Security (show other bugs)
Version: 7.2 (2007.02)
Hardware: All All
: high normal
Assignee: X.Org Security
QA Contact: X.Org Security
URL: http://lists.freedesktop.org/archives...
Keywords: security
Depends on:
Reported: 2007-02-16 14:02 UTC by Matthieu Herrb
Modified: 2007-12-10 21:33 UTC (History)
2 users (show)

See Also:
i915 platform:
i915 features:

proposed patch (1.05 KB, patch)
2007-02-16 14:08 UTC, Matthieu Herrb
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Herrb 2007-02-16 14:02:36 UTC
iDefense reported an integer overflow in the xc-misc extension, in the ProcXCMiscGetXIDList() function. Moreover this function uses ALLOCATE_LOCAL (ie alloca()) on with a user-controlled paramter, which can lead to stack corruption.
Comment 1 Matthieu Herrb 2007-02-16 14:08:07 UTC
Created attachment 8757 [details] [review]
proposed patch

Like the dbe patch last time. Check for integer overflow and replace alloca() with Xalloc().
I glimpsed through other Xext uses of ALLOCATE_LOCAL() and didn't spot other cases where it's called with a multiplicative paramter that can be fully controlled by the client to cause an overflow. Other pair of eyes are welcome. (And there are more extensions to check).
Comment 2 Alan Coopersmith 2007-04-04 17:47:59 UTC
Matthieu integrated the fix into git head and released the security advisory,
so I'm marking this both FIXED and publically viewable.

bug/show.html.tmpl processed on Mar 28, 2017 at 10:10:04.
(provided by the Example extension).