diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 00:03:03 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-07 14:04:18 -0700 |
commit | 59301c1b5095f7dc6359d5b396dbbcdee7038270 (patch) | |
tree | 8638a40c1ca8bae4a3b99ebf9556eb63c83ccd34 | |
parent | 15ab7dec17d686c38f2c82ac23a17cac5622322a (diff) |
integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | src/Xv.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats ( } if(rep.num_formats) { - int size = (rep.num_formats * sizeof(XvImageFormatValues)); + if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues))) + ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues)); - if((ret = Xmalloc(size))) { + if (ret != NULL) { xvImageFormatInfo Info; int i; |