integer overflow in XDGAOpenFramebuffer()

rep.length is a CARD32 and should be bounds checked before left shifting to come up with the size to allocate and read from the network, though since both functions take the same size, there should be no way for the buffer to be overflowed in this case. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 12:53:49 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-04 19:05:02 -0700
commit: a8dc6be3213bc91dec5e25535ef4bad5a9456af0 (patch)
tree: 69e5988f889c47a7b8f6ef1460d3ed9ecb3676e0
parent: b69d6d51a82b1d1e8c68a233360acb742c879375 (diff)
1 files changed, 8 insertions, 3 deletions
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 4d13677..9c656e6 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
 	return False;
     }
 
-    if(rep.length) {
-	deviceName = Xmalloc(rep.length << 2);
-	_XRead(dpy, deviceName, rep.length << 2);
+    if (rep.length) {
+	if (rep.length < (INT_MAX >> 2)) {
+	    unsigned long size = rep.length << 2;
+	    deviceName = Xmalloc(size);
+	    _XRead(dpy, deviceName, size);
+	    deviceName[size - 1] = '\0';
+	} else
+	    _XEatDataWords(dpy, rep.length);
     }
 
     ret = XDGAMapFramebuffer(screen, deviceName,
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 12:53:49 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-04 19:05:02 -0700
commit	a8dc6be3213bc91dec5e25535ef4bad5a9456af0 (patch)
tree	69e5988f889c47a7b8f6ef1460d3ed9ecb3676e0
parent	b69d6d51a82b1d1e8c68a233360acb742c879375 (diff)