Bug 28965 - Off by one error causes SEGV (only DOS)
Summary: Off by one error causes SEGV (only DOS)
Status: RESOLVED FIXED
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: X.Org Security
QA Contact: X.Org Security
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2010-07-08 14:05 UTC by halfdog
Modified: 2019-11-19 08:56 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments
Fix off by one by using correct constant definition (336 bytes, patch)
2010-07-08 14:08 UTC, halfdog
no flags Details | Splinter Review

Description halfdog 2010-07-08 14:05:15 UTC
During X server security testing, current lucid xserver was terminated on
invalid request:

ii  xserver-xorg                      1:7.5+5ubuntu1                           
      the X.Org X server
ii  xserver-xorg-core                 2:1.7.6-2ubuntu7.2                       
      Xorg X server - core server


Xext/xvdisp.c:

int
ProcXvDispatch(ClientPtr client)
{
  REQUEST(xReq);

  UpdateCurrentTime();
>>>>>>>>>>> should be xv_LastRequest
  if (stuff->data > xvNumRequests) {
    SendErrorToClient(client, XvReqCode, stuff->data, 0, BadRequest);
    return(BadRequest);
  }

>>>>>>>>>>>> value data=xvNumRequests causes call of null ptr
  return XvProcVector[stuff->data](client);
}

See also:

/usr/include/X11/extensions/Xvproto.h

#define xv_LastRequest                    xv_ShmPutImage
#define xvNumRequests                     (xv_LastRequest + 1)


Credits to me@halfdog.net
Comment 1 halfdog 2010-07-08 14:08:13 UTC
Created attachment 36887 [details] [review]
Fix off by one by using correct constant definition
Comment 2 Julien Cristau 2012-07-24 15:18:40 UTC
this was fixed in 1.12 and the 1.10.x and 1.11.x stable branches.

commit 41229392b790f30a0f0ef1f4ed95647c5bca4001
Author: Dave Airlie <airlied@redhat.com>
Date:   Thu Oct 20 11:00:43 2011 +0100

    xv: test correct number of requests. (v2)
    
    Pointed out by coverity.
    
    v2: fix swapped as well, as pointed out by Alan
    
    Signed-off-by: Dave Airlie <airlied@redhat.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.