XLibre/xserver
1
1
Fork 0
mirror of https://github.com/X11Libre/xserver.git synced 2026-03-24 05:54:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix for CVE-2007-6427 - Xinput extension memory corruption.

Browse Source
This commit is contained in:
Matthieu Herrb
2008-01-17 15:27:34 +01:00
parent bbde5b62a1
commit dd5e0f5cd5
8 changed files with 33 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
Xi/sendexev.c
View File

@@ -80,7 +80,7 @@ int
SProcXSendExtensionEvent(ClientPtr client)
{
char n;
long *p;
CARD32 *p;
int i;
xEvent eventT;
xEvent *eventP;
@@ -91,6 +91,11 @@ SProcXSendExtensionEvent(ClientPtr client)
REQUEST_AT_LEAST_SIZE(xSendExtensionEventReq);
swapl(&stuff->destination, n);
swaps(&stuff->count, n);
if (stuff->length != (sizeof(xSendExtensionEventReq) >> 2) + stuff->count +
(stuff->num_events * (sizeof(xEvent) >> 2)))
return BadLength;
eventP = (xEvent *) & stuff[1];
for (i = 0; i < stuff->num_events; i++, eventP++) {
proc = EventSwapVector[eventP->u.u.type & 0177];
@@ -100,11 +105,8 @@ SProcXSendExtensionEvent(ClientPtr client)
*eventP = eventT;
}
p = (long *)(((xEvent *) & stuff[1]) + stuff->num_events);
for (i = 0; i < stuff->count; i++) {
swapl(p, n);
p++;
}
p = (CARD32 *)(((xEvent *) & stuff[1]) + stuff->num_events);
SwapLongs(p, stuff->count);
return (ProcXSendExtensionEvent(client));
}