main/libxres: fix CVE-2013-1988

ref #1931

1 files changed, 37 insertions, 0 deletions

diff --git a/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
new file mode 100644
index 0000000000..e851c092f1
--- /dev/null
+++ b/main/libxres/0003-integer-overflow-in-XResQueryClients-CVE-2013-1988-1.patch
@@ -0,0 +1,37 @@
+From b053d215b80e721f9afdc5794e4f3f4f2aee0141 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 23:36:13 -0700
+Subject: [PATCH 3/4] integer overflow in XResQueryClients() [CVE-2013-1988
+ 1/2]
+
+The CARD32 rep.num_clients needs to be bounds checked before multiplying
+by sizeof(XResClient) to avoid integer overflow leading to underallocation
+and writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XRes.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/XRes.c b/src/XRes.c
+index 1ab1db8..c989985 100644
+--- a/src/XRes.c
++++ b/src/XRes.c
+@@ -130,7 +130,12 @@ Status XResQueryClients (
+     }
+ 
+     if(rep.num_clients) {
+-        if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
++        if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
++            clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
++        else
++            clnts = NULL;
++
++        if (clnts != NULL) {
+             xXResClient scratch;
+             int i;
+ 
+-- 
+1.8.2.3
+