diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 00:03:03 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-26 15:47:05 -0700 |
commit | 6e1b743a276651195be3cd68dff41e38426bf3ab (patch) | |
tree | a0f496e05a93a4645c8f2942e851a17d9f2065a8 /src/Xv.c | |
parent | 79362c764a6df7e7fbe5247756bdbf60f3a58baf (diff) |
integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/Xv.c')
-rw-r--r-- | src/Xv.c | 10 |
1 files changed, 8 insertions, 2 deletions
@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) } if(rep.num_attributes) { - int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + unsigned long size; + /* limit each part to no more than one half the max size */ + if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && + (rep.text_size < (INT_MAX / 2))) { + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + ret = Xmalloc(size); + } - if((ret = Xmalloc(size))) { + if (ret != NULL) { char* marker = (char*)(&ret[rep.num_attributes]); xvAttributeInfo Info; int i; |