From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 17:24:08 +0000 Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983] If the reported cursor dimensions or name length are too large, the calculations to allocate memory for them may overflow, leaving us writing beyond the bounds of the allocation. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- diff --git a/src/Cursor.c b/src/Cursor.c index 641b747..33590b7 100644 --- a/src/Cursor.c +++ b/src/Cursor.c @@ -47,6 +47,7 @@ #include #endif #include "Xfixesint.h" +#include void XFixesSelectCursorInput (Display *dpy, @@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); xXFixesGetCursorImageAndNameReq *req; xXFixesGetCursorImageAndNameReply rep; - int npixels; - int nbytes_name; - int nbytes, nread, rlength; + size_t npixels; + size_t nbytes_name; + size_t nbytes, nread, rlength; XFixesCursorImage *image; char *name; @@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy) } npixels = rep.width * rep.height; nbytes_name = rep.nbytes; - /* reply data length */ - nbytes = (long) rep.length << 2; - /* bytes of actual data in the reply */ - nread = (npixels << 2) + nbytes_name; - /* size of data returned to application */ - rlength = (sizeof (XFixesCursorImage) + - npixels * sizeof (unsigned long) + - nbytes_name + 1); + if ((rep.length < (INT_MAX >> 2)) && + npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) + - nbytes_name)) { + /* reply data length */ + nbytes = (size_t) rep.length << 2; + /* bytes of actual data in the reply */ + nread = (npixels << 2) + nbytes_name; + /* size of data returned to application */ + rlength = (sizeof (XFixesCursorImage) + + npixels * sizeof (unsigned long) + + nbytes_name + 1); - image = (XFixesCursorImage *) Xmalloc (rlength); + image = Xmalloc (rlength); + } else + image = NULL; if (!image) { _XEatDataWords(dpy, rep.length); -- cgit v0.9.0.2-2-gbebe