diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 00:50:02 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-26 15:50:08 -0700 |
commit | 5fd871e5f878810f8f8837725d548e07e89577ab (patch) | |
tree | 788c4cf55ee261b925e66ac40a76d2a83ecc9d5e /src/XvMC.c | |
parent | 478d4e5873eeee2ebdce6673e4e3469816ab63b8 (diff) |
integer overflow in _xvmc_create_*()
rep.length is a CARD32 and should be bounds checked before left-shifting
by 2 bits to come up with the total size to allocate, though in these
cases, no buffer overflow should occur here, since the XRead call is passed
the same rep.length << 2 length argument, but the *priv_count returned to
the caller could be interpreted or used to calculate a larger buffer size
than was actually allocated, leading them to go out of bounds.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/XvMC.c')
-rw-r--r-- | src/XvMC.c | 9 |
1 files changed, 6 insertions, 3 deletions
@@ -285,7 +285,8 @@ Status _xvmc_create_context ( context->flags = rep.flags_return; if(rep.length) { - *priv_data = Xmalloc(rep.length << 2); + if (rep.length < (INT_MAX >> 2)) + *priv_data = Xmalloc(rep.length << 2); if(*priv_data) { _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; @@ -366,7 +367,8 @@ Status _xvmc_create_surface ( } if(rep.length) { - *priv_data = Xmalloc(rep.length << 2); + if (rep.length < (INT_MAX >> 2)) + *priv_data = Xmalloc(rep.length << 2); if(*priv_data) { _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; @@ -456,7 +458,8 @@ Status _xvmc_create_subpicture ( subpicture->component_order[3] = rep.component_order[3]; if(rep.length) { - *priv_data = Xmalloc(rep.length << 2); + if (rep.length < (INT_MAX >> 2)) + *priv_data = Xmalloc(rep.length << 2); if(*priv_data) { _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; |