integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]

If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.

V2: EatData if count is 0 but length is > 0 to avoid XIOErrors

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

1 files changed, 5 insertions, 3 deletions

diff --git a/src/XGetProp.c b/src/XGetProp.c
index 34bc581..b49328c 100644
--- a/src/XGetProp.c
+++ b/src/XGetProp.c
@@ -60,6 +60,7 @@ SOFTWARE.
 #include <X11/extensions/XInput.h>
 #include <X11/extensions/extutil.h>
 #include "XIint.h"
+#include <limits.h>
 
 XEventClass *
 XGetDeviceDontPropagateList(
@@ -88,10 +89,11 @@ XGetDeviceDontPropagateList(
     }
     *count = rep.count;
 
-    if (*count) {
-	list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
+    if (rep.length != 0) {
+	if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
+	    list = Xmalloc(rep.length * sizeof(XEventClass));
 	if (list) {
-	    int i;
+	    unsigned int i;
 	    CARD32 ec;
 
 	    /* read and assign each XEventClass separately because