summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2025-49176-2.patch
blob: 6476af9a8519fd276e7a8ad1930bf6f5a0775686 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37

From 4fc4d76b2c7aaed61ed2653f997783a3714c4fe1 Mon Sep 17 00:00:00 2001
From: Olivier Fourdan <ofourdan@redhat.com>
Date: Wed, 18 Jun 2025 08:39:02 +0200
Subject: [PATCH] os: Check for integer overflow on BigRequest length

Check for another possible integer overflow once we get a complete xReq
with BigRequest.

Related to CVE-2025-49176

Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Suggested-by: Peter Harris <pharris2@rocketsoftware.com>
Part-of: <https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/2028>

Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/4fc4d76b2c7aaed61ed2653f997783a3714c4fe1]
CVE: CVE-2025-49176 #Follow-up Patch
Signed-off-by: Vijay Anusuri <vanusuri@mvista.com>
---
 os/io.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/os/io.c b/os/io.c
index e7b76b9cea..167b40a720 100644
--- a/os/io.c
+++ b/os/io.c
@@ -394,6 +394,8 @@ ReadRequestFromClient(ClientPtr client)
                     needed = get_big_req_len(request, client);
             }
             client->req_len = needed;
+            if (needed > MAXINT >> 2)
+                return -(BadLength);
             needed <<= 2;
         }
         if (gotnow < needed) {
-- 
GitLab
generated by cgit v1.2.3-54-g00ecf (git 2.39.0) at 2026-04-23 21:28:40 +0000