diff options
Diffstat (limited to 'main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch')
-rw-r--r-- | main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch new file mode 100644 index 0000000000..bca2bb0260 --- /dev/null +++ b/main/libxres/0004-integer-overflow-in-XResQueryClientResources-CVE-201.patch @@ -0,0 +1,37 @@ +From f468184963e53feda848853c4aefd0197b2cc116 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 12 Apr 2013 23:36:13 -0700 +Subject: [PATCH 4/4] integer overflow in XResQueryClientResources() + [CVE-2013-1988 2/2] + +The CARD32 rep.num_types needs to be bounds checked before multiplying +by sizeof(XResType) to avoid integer overflow leading to underallocation +and writing data from the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XRes.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/XRes.c b/src/XRes.c +index c989985..51e905f 100644 +--- a/src/XRes.c ++++ b/src/XRes.c +@@ -187,7 +187,12 @@ Status XResQueryClientResources ( + } + + if(rep.num_types) { +- if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) { ++ if (rep.num_types < (INT_MAX / sizeof(XResType))) ++ typs = Xmalloc(sizeof(XResType) * rep.num_types); ++ else ++ typs = NULL; ++ ++ if (typs != NULL) { + xXResType scratch; + int i; + +-- +1.8.2.3 + |