Avoid out of boundary accesses on illegal responses

The responses of the connected X server have to be properly checked
to avoid out of boundary accesses that could otherwise be triggered
by a malicious server.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

1 files changed, 18 insertions, 0 deletions

diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c
index a9eaa7b..adc5330 100644
--- a/src/XrrMonitor.c
+++ b/src/XrrMonitor.c
@@ -24,6 +24,7 @@
 #include <config.h>
 #endif
 
+#include <limits.h>
 #include <stdio.h>
 #include <X11/Xlib.h>
 /* we need to be able to manipulate the Display structure on events */
@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
 	return NULL;
     }
 
+    if (rep.length > INT_MAX >> 2 ||
+	rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) ||
+	rep.noutputs > INT_MAX / 4 ||
+	rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) {
+	_XEatData (dpy, rep.length);
+	UnlockDisplay (dpy);
+	SyncHandle ();
+	return NULL;
+    }
     nbytes = (long) rep.length << 2;
     nmon = rep.nmonitors;
     noutput = rep.noutputs;
@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
 	    mon[m].outputs = output;
 	    buf += SIZEOF (xRRMonitorInfo);
 	    xoutput = (CARD32 *) buf;
+	    if (xmon->noutput > rep.noutputs) {
+	        Xfree(buf);
+	        Xfree(mon);
+	        UnlockDisplay (dpy);
+	        SyncHandle ();
+	        return NULL;
+	    }
+	    rep.noutputs -= xmon->noutput;
 	    for (o = 0; o < xmon->noutput; o++)
 		output[o] = xoutput[o];
 	    output += xmon->noutput;