Properly validate server responses.

By validating length fields from server responses, out of boundary accesses and endless loops can be mitigated. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
author: Tobias Stoeckmann <tobias@stoeckmann.org> 2016-09-25 22:31:34 +0200
committer: Matthieu Herrb <matthieu@herrb.eu> 2016-09-25 22:31:34 +0200
commit: 19a9cd607de73947fcfb104682f203ffe4e1f4e5 (patch)
tree: 5fbb89ac3f543a3b25d9eb9e85def0e19b174e9e /src/XGMotion.c
parent: 2286282f965064176b3b1492646c6e2e0f4ab7dd (diff)
1 files changed, 2 insertions, 1 deletions
diff --git a/src/XGMotion.c b/src/XGMotion.c
index 7785843..9433e29 100644
--- a/src/XGMotion.c
+++ b/src/XGMotion.c
@@ -114,7 +114,8 @@ XGetDeviceMotionEvents(
     }
     /* rep.axes is a CARD8, so assume max number of axes for bounds check */
     if (rep.nEvents <
-	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
+	(INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int)))) &&
+	rep.nEvents * (rep.axes + 1) <= rep.length) {
 	size_t bsize = rep.nEvents *
 	    (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
 	bufp = Xmalloc(bsize);
author	Tobias Stoeckmann <tobias@stoeckmann.org>	2016-09-25 22:31:34 +0200
committer	Matthieu Herrb <matthieu@herrb.eu>	2016-09-25 22:31:34 +0200
commit	19a9cd607de73947fcfb104682f203ffe4e1f4e5 (patch)
tree	5fbb89ac3f543a3b25d9eb9e85def0e19b174e9e /src/XGMotion.c
parent	2286282f965064176b3b1492646c6e2e0f4ab7dd (diff)