summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-12 23:02:11 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-05 16:00:55 -0700
commit786f78fd8df6d165ccbc81f306fd9f22b5c1551c (patch)
tree9ed219c77ea8f7e07906c16de6e5886ab77e3194 /src
parent9e577d40322b9e3d8bdefec0eefa44d8ead451a4 (diff)
integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
The length and numIndexValues members of the reply are both CARD32 and need to be bounds checked before multiplying by sizeof (XIndexValue) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r--src/Xrender.c25
1 files changed, 16 insertions, 9 deletions
diff --git a/src/Xrender.c b/src/Xrender.c
index a62c753..3102eb2 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy,
xRenderQueryPictIndexValuesReq *req;
xRenderQueryPictIndexValuesReply rep;
XIndexValue *values;
- int nbytes, nread, rlength, i;
+ unsigned int nbytes, nread, rlength, i;
RenderCheckExtension (dpy, info, NULL);
@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy,
return NULL;
}
- /* request data length */
- nbytes = (long)rep.length << 2;
- /* bytes of actual data in the request */
- nread = rep.numIndexValues * SIZEOF (xIndexValue);
- /* size of array returned to application */
- rlength = rep.numIndexValues * sizeof (XIndexValue);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
+ /* request data length */
+ nbytes = rep.length << 2;
+ /* bytes of actual data in the request */
+ nread = rep.numIndexValues * SIZEOF (xIndexValue);
+ /* size of array returned to application */
+ rlength = rep.numIndexValues * sizeof (XIndexValue);
+
+ /* allocate returned data */
+ values = Xmalloc (rlength);
+ } else {
+ nbytes = nread = rlength = 0;
+ values = NULL;
+ }
- /* allocate returned data */
- values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
_XEatDataWords (dpy, rep.length);