From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 12:38:25 -0700 Subject: integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2] rep.length is a CARD32 and needs to be bounds checked before bit shifting and subtracting sz_xXDGAModeInfo to come up with the total size to allocate, to avoid integer overflow or underflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XF86DGA2.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index b5145ee..90ca918 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -405,12 +405,15 @@ XDGASetMode( if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { if(rep.length) { xXDGAModeInfo info; - int size; + unsigned long size; - size = rep.length << 2; - size -= sz_xXDGAModeInfo; /* get text size */ + if ((rep.length < (INT_MAX >> 2)) && + (rep.length > (sz_xXDGAModeInfo >> 2))) { + size = rep.length << 2; + size -= sz_xXDGAModeInfo; /* get text size */ - dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size); + dev = Xmalloc(sizeof(XDGADevice) + size); + } if(dev) { _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); @@ -451,6 +454,8 @@ XDGASetMode( dev->data += rep.offset; } /* not sure what to do if the allocation fails */ + else + _XEatDataWords(dpy, rep.length); } } -- cgit v1.2.3