diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-09 22:55:23 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-23 08:13:26 -0700 |
commit | 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff (patch) | |
tree | b1b6a6e8dc2c87bdf42b4c1a919590cafb81e0bb | |
parent | 322ee3576789380222d4403366e4fd12fb24cb6a (diff) |
integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
-rw-r--r-- | src/XGetProp.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/XGetProp.c b/src/XGetProp.c index 34bc581..b49328c 100644 --- a/src/XGetProp.c +++ b/src/XGetProp.c @@ -60,6 +60,7 @@ SOFTWARE. #include <X11/extensions/XInput.h> #include <X11/extensions/extutil.h> #include "XIint.h" +#include <limits.h> XEventClass * XGetDeviceDontPropagateList( @@ -88,10 +89,11 @@ XGetDeviceDontPropagateList( } *count = rep.count; - if (*count) { - list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass)); + if (rep.length != 0) { + if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass)))) + list = Xmalloc(rep.length * sizeof(XEventClass)); if (list) { - int i; + unsigned int i; CARD32 ec; /* read and assign each XEventClass separately because |