Commit 0e79d96c authored by Alan Coopersmith's avatar Alan Coopersmith

integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]

rep.length is a CARD32, while rbytes was a signed int, so
   rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
could result in integer overflow, leading to an undersized malloc
and reading data off the connection and writing it past the end of
the allocated buffer.
Reported-by: default avatarIlja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith's avatarAlan Coopersmith <alan.coopersmith@oracle.com>
parent 1c7ad677
......@@ -31,6 +31,7 @@
#include <X11/extensions/render.h>
#include <X11/extensions/Xrender.h>
#include "Xrandrint.h"
#include <limits.h>
Atom *
XRRListOutputProperties (Display *dpy, RROutput output, int *nprop)
......@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
XExtDisplayInfo *info = XRRFindDisplay(dpy);
xRRQueryOutputPropertyReply rep;
xRRQueryOutputPropertyReq *req;
int rbytes, nbytes;
unsigned int rbytes, nbytes;
XRRPropertyInfo *prop_info;
RRCheckExtension (dpy, info, NULL);
......@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property)
return NULL;
}
rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
nbytes = rep.length << 2;
if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
nbytes = rep.length << 2;
prop_info = Xmalloc (rbytes);
} else
prop_info = NULL;
prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
if (prop_info == NULL) {
_XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment