summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 12:38:25 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-04 19:05:02 -0700
commitf89cf306a60facdf102696840bc05acebd7d1772 (patch)
tree913ec9ed08ccc5efb739d0febc532093122ab7fd
parent5dcfa6a8cf2df39828da733e5945e730518c27b3 (diff)
integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]
rep.length is a CARD32 and needs to be bounds checked before bit shifting and subtracting sz_xXDGAModeInfo to come up with the total size to allocate, to avoid integer overflow or underflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/XF86DGA2.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index b5145ee..90ca918 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -405,12 +405,15 @@ XDGASetMode(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int size;
+ unsigned long size;
- size = rep.length << 2;
- size -= sz_xXDGAModeInfo; /* get text size */
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.length > (sz_xXDGAModeInfo >> 2))) {
+ size = rep.length << 2;
+ size -= sz_xXDGAModeInfo; /* get text size */
- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
+ dev = Xmalloc(sizeof(XDGADevice) + size);
+ }
if(dev) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
@@ -451,6 +454,8 @@ XDGASetMode(
dev->data += rep.offset;
}
/* not sure what to do if the allocation fails */
+ else
+ _XEatDataWords(dpy, rep.length);
}
}