integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]

The num_attributes & text_size members of the reply are both CARD32s and need to be bounds checked before multiplying & adding them together to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 00:03:03 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-26 15:47:05 -0700
commit: 6e1b743a276651195be3cd68dff41e38426bf3ab (patch)
tree: a0f496e05a93a4645c8f2942e851a17d9f2065a8
parent: 79362c764a6df7e7fbe5247756bdbf60f3a58baf (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/src/Xv.c b/src/Xv.c
index 5be1d95..3cbad35 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
   }
 
   if(rep.num_attributes) {
-      int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+      unsigned long size;
+      /* limit each part to no more than one half the max size */
+      if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
+	  (rep.text_size < (INT_MAX / 2))) {
+	  size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+	  ret = Xmalloc(size);
+      }
 
-      if((ret = Xmalloc(size))) {
+      if (ret != NULL) {
 	  char* marker = (char*)(&ret[rep.num_attributes]);
 	  xvAttributeInfo Info;
 	  int i;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 00:03:03 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-26 15:47:05 -0700
commit	6e1b743a276651195be3cd68dff41e38426bf3ab (patch)
tree	a0f496e05a93a4645c8f2942e851a17d9f2065a8
parent	79362c764a6df7e7fbe5247756bdbf60f3a58baf (diff)