Bug 10001 - integer overflow in xc-misc [CVE-2007-1003]
integer overflow in xc-misc [CVE-2007-1003]
Product: xorg
Classification: Unclassified
Component: Security
7.2 (2007.02)
All All
: high normal
Assigned To: X.Org Security
X.Org Security
: security
Depends on:
  Show dependency treegraph
Reported: 2007-02-16 14:02 UTC by Matthieu Herrb
Modified: 2007-12-10 21:33 UTC (History)
2 users (show)

See Also:

proposed patch (1.05 KB, patch)
2007-02-16 14:08 UTC, Matthieu Herrb
no flags Details | Splinter Review

Note You need to log in before you can comment on or make changes to this bug.
Description Matthieu Herrb 2007-02-16 14:02:36 UTC
iDefense reported an integer overflow in the xc-misc extension, in the ProcXCMiscGetXIDList() function. Moreover this function uses ALLOCATE_LOCAL (ie alloca()) on with a user-controlled paramter, which can lead to stack corruption.
Comment 1 Matthieu Herrb 2007-02-16 14:08:07 UTC
Created attachment 8757 [details] [review]
proposed patch

Like the dbe patch last time. Check for integer overflow and replace alloca() with Xalloc().
I glimpsed through other Xext uses of ALLOCATE_LOCAL() and didn't spot other cases where it's called with a multiplicative paramter that can be fully controlled by the client to cause an overflow. Other pair of eyes are welcome. (And there are more extensions to check).
Comment 2 Alan Coopersmith 2007-04-04 17:47:59 UTC
Matthieu integrated the fix into git head and released the security advisory,
so I'm marking this both FIXED and publically viewable.