Bug 13524 - XFree86-Misc Extension Invalid Array Index Vulnerability
Summary: XFree86-Misc Extension Invalid Array Index Vulnerability
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Security (show other bugs)
Version: 7.3 (2007.09)
Hardware: Other All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-12-04 13:02 UTC by Matthieu Herrb
Modified: 2008-01-17 08:30 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:

Attachments
Draft advisory (4.71 KB, text/plain)
2007-12-04 13:03 UTC, Matthieu Herrb 		no flags Details
Proposed fix (800 bytes, patch)
2007-12-11 12:03 UTC, Adam Jackson 		no flags Details | Splinter Review
Testcase (1.29 KB, text/plain)
2007-12-13 18:42 UTC, Alan Coopersmith 		no flags Details
View All

Description Matthieu Herrb 2007-12-04 13:02:23 UTC 
iDefense has sent us the attached draft advisory
Comment 1 Matthieu Herrb 2007-12-04 13:03:10 UTC 
Created attachment 12944 [details]
Draft advisory
Comment 2 Adam Jackson 2007-12-11 12:02:56 UTC 
Summary is wrong, this is a bug in XFree86-Misc, not XC-MISC.

The advisory should absolutely not recommend disabling XC-MISC, it is not affected, and it's basically not possible to run any large app without XC-MISC enabled.
Comment 3 Adam Jackson 2007-12-11 12:03:38 UTC 
Created attachment 13036 [details] [review]
Proposed fix
Comment 4 Alan Coopersmith 2007-12-13 18:19:41 UTC 
(In reply to comment #3)

Shouldn't that be >= xf86NumScreens ?   Do we also need to check for < 0 since
it's a signed int?
Comment 5 Alan Coopersmith 2007-12-13 18:42:27 UTC 
Created attachment 13098 [details]
Testcase

Testcase for this bug - it crashes Xorg on a single head system when run with an 
argument of 1 for the screen number with the ">" fix in, so it appears ">=" is 
needed.
Comment 6 Matthieu Herrb 2008-01-17 08:30:33 UTC 
Patch has been committed: bbde5b62a137ba726a747b838d81e92d72c1b42b and this is public now

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.