summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-12 21:44:59 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-04 21:44:34 -0700
commit1da5b838c2a8565d4d95a4e948f951ce6b466345 (patch)
tree6b86fe7396a9852590ba3067fd1922af68e20a89 /src
parent0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 (diff)
integer overflow in XRRQueryProviderProperty() [CVE-2013-1986 2/4]
Same problem as XRRQueryOutputProperty() that it was cloned from Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r--src/XrrProviderProperty.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
index 2d90a0a..dc699f6 100644
--- a/src/XrrProviderProperty.c
+++ b/src/XrrProviderProperty.c
@@ -31,6 +31,7 @@
#include <X11/extensions/render.h>
#include <X11/extensions/Xrender.h>
#include "Xrandrint.h"
+#include <limits.h>
Atom *
XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
XExtDisplayInfo *info = XRRFindDisplay(dpy);
xRRQueryProviderPropertyReply rep;
xRRQueryProviderPropertyReq *req;
- int rbytes, nbytes;
+ unsigned int rbytes, nbytes;
XRRPropertyInfo *prop_info;
RRCheckExtension (dpy, info, NULL);
@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
return NULL;
}
- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
- nbytes = rep.length << 2;
+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
+ nbytes = rep.length << 2;
+
+ prop_info = Xmalloc (rbytes);
+ } else
+ prop_info = NULL;
- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
_XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);