avoid overflowing by making nameLen and busIDLen addition overflow

Al Viro pointed this out on lwn: if nameLen + busIDLen overflows, we end up copying data from outside tmpBuf. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Julien Cristau <jcristau@debian.org> 2013-06-01 11:26:15 +0200
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-06-06 22:06:09 -0700
commit: 554200b59e880a1cf36dd244eeb5f330d93499b6 (patch)
tree: 4f26fe6095f9cab067d3155ce745a63fd0541594
parent: 8c164524d229adb6141fdac8336b3823e7fe1a5d (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/src/XvMC.c b/src/XvMC.c
index 74c8b85..00ac760 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -573,7 +573,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
 	unsigned long realSize = 0;
 	char *tmpBuf = NULL;
 
-	if (rep.length < (INT_MAX >> 2)) {
+	if ((rep.length < (INT_MAX >> 2)) &&
+	    /* protect against overflow in strncpy below */
+	    (rep.nameLen + rep.busIDLen > rep.nameLen)) {
 	    realSize = rep.length << 2;
 	    if (realSize >= (rep.nameLen + rep.busIDLen)) {
 		tmpBuf = Xmalloc(realSize);
author	Julien Cristau <jcristau@debian.org>	2013-06-01 11:26:15 +0200
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-06-06 22:06:09 -0700
commit	554200b59e880a1cf36dd244eeb5f330d93499b6 (patch)
tree	4f26fe6095f9cab067d3155ce745a63fd0541594
parent	8c164524d229adb6141fdac8336b3823e7fe1a5d (diff)