Bugzilla – Bug 10001
integer overflow in xc-misc [CVE-2007-1003]
Last modified: 2007-12-10 21:33:16 UTC
iDefense reported an integer overflow in the xc-misc extension, in the ProcXCMiscGetXIDList() function. Moreover this function uses ALLOCATE_LOCAL (ie alloca()) on with a user-controlled paramter, which can lead to stack corruption.
Created attachment 8757 [details] [review]
Like the dbe patch last time. Check for integer overflow and replace alloca() with Xalloc().
I glimpsed through other Xext uses of ALLOCATE_LOCAL() and didn't spot other cases where it's called with a multiplicative paramter that can be fully controlled by the client to cause an overflow. Other pair of eyes are welcome. (And there are more extensions to check).
Matthieu integrated the fix into git head and released the security advisory,
so I'm marking this both FIXED and publically viewable.