integer overflow in XvMCListSubpictureTypes() [CVE-2013-1990 2/2]

rep.num is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvImageFormatValues) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 00:50:02 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-26 15:49:59 -0700
commit: 478d4e5873eeee2ebdce6673e4e3469816ab63b8 (patch)
tree: fe8bee2409fba57dc83b3314fbe01e0466567b32 /src/XvMC.c
parent: 2712383813b26475dc6713888414d842be57f8ca (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/src/XvMC.c b/src/XvMC.c
index 5d8c2cf..8d602ec 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -184,8 +184,8 @@ XvImageFormatValues * XvMCListSubpictureTypes (
     }
 
     if(rep.num > 0) {
-        ret =
-	   (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues));
+        if (rep.num < (INT_MAX / sizeof(XvImageFormatValues)))
+            ret = Xmalloc(rep.num * sizeof(XvImageFormatValues));
 
         if(ret) {
             xvImageFormatInfo Info;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 00:50:02 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-26 15:49:59 -0700
commit	478d4e5873eeee2ebdce6673e4e3469816ab63b8 (patch)
tree	fe8bee2409fba57dc83b3314fbe01e0466567b32 /src/XvMC.c
parent	2712383813b26475dc6713888414d842be57f8ca (diff)