From 61c1039ee23a2d1de712843bed3480654d7ef42e Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 25 Sep 2016 22:38:44 +0200 Subject: Integer overflow on illegal server response The 32 bit field "rep.length" is not checked for validity, which allows an integer overflow on 32 bit systems. A malicious server could send INT_MAX as length, which gets multiplied by the size of XRectangle. In that case the client won't read the whole data from server, getting out of sync. Signed-off-by: Tobias Stoeckmann Reviewed-by: Matthieu Herrb --- src/Region.c | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/src/Region.c b/src/Region.c index cb0cf6e..59bcc1a 100644 --- a/src/Region.c +++ b/src/Region.c @@ -23,6 +23,7 @@ #ifdef HAVE_CONFIG_H #include #endif +#include #include "Xfixesint.h" XserverRegion @@ -333,9 +334,17 @@ XFixesFetchRegionAndBounds (Display *dpy, bounds->y = rep.y; bounds->width = rep.width; bounds->height = rep.height; - nbytes = (long) rep.length << 2; - nrects = rep.length >> 1; - rects = Xmalloc (nrects * sizeof (XRectangle)); + + if (rep.length < (INT_MAX >> 2)) { + nbytes = (long) rep.length << 2; + nrects = rep.length >> 1; + rects = Xmalloc (nrects * sizeof (XRectangle)); + } else { + nbytes = 0; + nrects = 0; + rects = NULL; + } + if (!rects) { _XEatDataWords(dpy, rep.length); -- cgit v1.2.3