integer overflow in DMXGetInputAttributes() [CVE-2013-1992 3/3]

If the server provided nameLength causes integer overflow
when padding length is added, a smaller buffer would be allocated
than the amount of data written to it.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 14 insertions, 2 deletions

diff --git a/src/dmx.c b/src/dmx.c
index 67434c8..d097062 100644
--- a/src/dmx.c
+++ b/src/dmx.c
@@ -723,6 +723,7 @@ Bool DMXGetInputAttributes(Display *dpy, int id, DMXInputAttributes *inf)
     xDMXGetInputAttributesReply rep;
     xDMXGetInputAttributesReq   *req;
     char                        *buffer;
+    Bool                         ret = False;
 
     DMXCheckExtension(dpy, info, False);
 
@@ -737,6 +738,16 @@ Bool DMXGetInputAttributes(Display *dpy, int id, DMXInputAttributes *inf)
         return False;
     }
 
+    if (rep.nameLength < 1024)
+        buffer      = Xmalloc(rep.nameLength + 1 + 4 /* for pad */);
+    else
+        buffer      = NULL;  /* name length is unbelievable, reject */
+
+    if (buffer == NULL) {
+        _XEatDataWords(dpy, rep.length);
+        goto end;
+    }
+
     switch (rep.inputType) {
     case 0: inf->inputType = DMXLocalInputType;   break;
     case 1: inf->inputType = DMXConsoleInputType; break;
@@ -748,13 +759,14 @@ Bool DMXGetInputAttributes(Display *dpy, int id, DMXInputAttributes *inf)
     inf->isCore         = rep.isCore;
     inf->sendsCore      = rep.sendsCore;
     inf->detached       = rep.detached;
-    buffer              = Xmalloc(rep.nameLength + 1 + 4 /* for pad */);
     _XReadPad(dpy, buffer, rep.nameLength);
     buffer[rep.nameLength] = '\0';
     inf->name           = buffer;
+    ret = True;
+  end:
     UnlockDisplay(dpy);
     SyncHandle();
-    return True;
+    return ret;
 }
 
 /** Add input. */