integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]

number is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XDGAmode) to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 12 insertions, 7 deletions

diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index c17c7f1..8830266 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
 	if(rep.length) {
 	   xXDGAModeInfo info;
-	   int i, size;
+	   unsigned long size = 0;
 	   char *offset;
 
-	   size = rep.length << 2;
-	   size -= rep.number * sz_xXDGAModeInfo; /* find text size */
-	   modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
-	   offset = (char*)(&modes[rep.number]); /* start of text */
-
+	   if ((rep.length < (INT_MAX >> 2)) &&
+	       (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
+	       size = rep.length << 2;
+	       if (size > (rep.number * sz_xXDGAModeInfo)) {
+		   size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+		   modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+		   offset = (char*)(&modes[rep.number]);  /* start of text */
+	       }
+	   }
 
-	   if(modes) {
+	   if (modes != NULL) {
+	      unsigned int i;
 	      for(i = 0; i < rep.number; i++) {
 		_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);