integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 1/2]

rep.num is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 00:50:02 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-26 15:49:43 -0700
commit: 2712383813b26475dc6713888414d842be57f8ca (patch)
tree: bae7a433f56376b91dce580988ed3b5a41af5691 /src/XvMC.c
parent: cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/XvMC.c b/src/XvMC.c
index b3e97ec..5d8c2cf 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
     }
 
     if(rep.num > 0) {
-	surface_info =
-	    (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
+        if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo)))
+            surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
 
         if(surface_info) {
 	    xvmcSurfaceInfo sinfo;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 00:50:02 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-26 15:49:43 -0700
commit	2712383813b26475dc6713888414d842be57f8ca (patch)
tree	bae7a433f56376b91dce580988ed3b5a41af5691 /src/XvMC.c
parent	cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 (diff)