diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-12 21:44:59 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-04 21:44:34 -0700 |
commit | 1da5b838c2a8565d4d95a4e948f951ce6b466345 (patch) | |
tree | 6b86fe7396a9852590ba3067fd1922af68e20a89 /src | |
parent | 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 (diff) |
integer overflow in XRRQueryProviderProperty() [CVE-2013-1986 2/4]
Same problem as XRRQueryOutputProperty() that it was cloned from
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/XrrProviderProperty.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c index 2d90a0a..dc699f6 100644 --- a/src/XrrProviderProperty.c +++ b/src/XrrProviderProperty.c @@ -31,6 +31,7 @@ #include <X11/extensions/render.h> #include <X11/extensions/Xrender.h> #include "Xrandrint.h" +#include <limits.h> Atom * XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop) @@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) XExtDisplayInfo *info = XRRFindDisplay(dpy); xRRQueryProviderPropertyReply rep; xRRQueryProviderPropertyReq *req; - int rbytes, nbytes; + unsigned int rbytes, nbytes; XRRPropertyInfo *prop_info; RRCheckExtension (dpy, info, NULL); @@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property) return NULL; } - rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); - nbytes = rep.length << 2; + if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { + rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); + nbytes = rep.length << 2; + + prop_info = Xmalloc (rbytes); + } else + prop_info = NULL; - prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); if (prop_info == NULL) { _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); |