diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 10:24:08 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-03 23:54:16 -0700 |
commit | c480fe3271873ec7471b0cbd680f4dac18ca8904 (patch) | |
tree | 705d4675da377371a3663e9d8f8302f35d4485d8 /src | |
parent | b031e3b60fa1af9e49449f23d4a84395868be3ab (diff) |
integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
If the reported cursor dimensions or name length are too large, the
calculations to allocate memory for them may overflow, leaving us
writing beyond the bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/Cursor.c | 30 |
1 files changed, 18 insertions, 12 deletions
diff --git a/src/Cursor.c b/src/Cursor.c index 641b747..33590b7 100644 --- a/src/Cursor.c +++ b/src/Cursor.c @@ -47,6 +47,7 @@ #include <config.h> #endif #include "Xfixesint.h" +#include <limits.h> void XFixesSelectCursorInput (Display *dpy, @@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); xXFixesGetCursorImageAndNameReq *req; xXFixesGetCursorImageAndNameReply rep; - int npixels; - int nbytes_name; - int nbytes, nread, rlength; + size_t npixels; + size_t nbytes_name; + size_t nbytes, nread, rlength; XFixesCursorImage *image; char *name; @@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy) } npixels = rep.width * rep.height; nbytes_name = rep.nbytes; - /* reply data length */ - nbytes = (long) rep.length << 2; - /* bytes of actual data in the reply */ - nread = (npixels << 2) + nbytes_name; - /* size of data returned to application */ - rlength = (sizeof (XFixesCursorImage) + - npixels * sizeof (unsigned long) + - nbytes_name + 1); + if ((rep.length < (INT_MAX >> 2)) && + npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) + - nbytes_name)) { + /* reply data length */ + nbytes = (size_t) rep.length << 2; + /* bytes of actual data in the reply */ + nread = (npixels << 2) + nbytes_name; + /* size of data returned to application */ + rlength = (sizeof (XFixesCursorImage) + + npixels * sizeof (unsigned long) + + nbytes_name + 1); - image = (XFixesCursorImage *) Xmalloc (rlength); + image = Xmalloc (rlength); + } else + image = NULL; if (!image) { _XEatDataWords(dpy, rep.length); |