From ef82512288d8ca36ac0beeb289f158195b0a8cae Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 00:22:14 -0800
Subject: Avoid integer overflow in XListInputDevices() [CVE-2013-1984 8/8]

If the length of the reply as reported by the Xserver is too long, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 src/XListDev.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

(limited to 'src/XListDev.c')

diff --git a/src/XListDev.c b/src/XListDev.c
index 1fa4747..1c14b96 100644
--- a/src/XListDev.c
+++ b/src/XListDev.c
@@ -60,6 +60,7 @@ SOFTWARE.
 #include <X11/extensions/XInput.h>
 #include <X11/extensions/extutil.h>
 #include "XIint.h"
+#include <limits.h>
 
 /* Calculate length field to a multiples of sizeof(XID). XIDs are typedefs
  * to ulong and thus may be 8 bytes on some platforms. This can trigger a
@@ -179,7 +180,7 @@ XListInputDevices(
     XAnyClassPtr Any;
     char *nptr, *Nptr;
     int i;
-    long rlen;
+    unsigned long rlen;
     XExtDisplayInfo *info = XInput_find_display(dpy);
 
     LockDisplay(dpy);
@@ -198,9 +199,10 @@ XListInputDevices(
 
     if ((*ndevices = rep.ndevices)) {	/* at least 1 input device */
 	size = *ndevices * sizeof(XDeviceInfo);
-	rlen = rep.length << 2;	/* multiply length by 4    */
-	list = (xDeviceInfo *) Xmalloc(rlen);
-	slist = list;
+	if (rep.length < (INT_MAX >> 2)) {
+	    rlen = rep.length << 2;	/* multiply length by 4    */
+	    slist = list = Xmalloc(rlen);
+	}
 	if (!slist) {
 	    _XEatDataWords(dpy, rep.length);
 	    UnlockDisplay(dpy);
-- 
cgit v1.2.3