From b098d40cbd8b5e093e032063eefbf8d62daa7ce9 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 9 Mar 2013 22:55:23 -0800
Subject: [PATCH 09/16] integer overflow in XGetDeviceDontPropagateList()
 [CVE-2013-1984 3/8]

If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.

V2: EatData if count is 0 but length is > 0 to avoid XIOErrors

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff)
(cherry picked from commit 843e1e83de77df8e7e2fc0e992955871498e8432)
---
 src/XGetProp.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/XGetProp.c b/src/XGetProp.c
index ca6f657..1ddc4a3 100644
--- a/src/XGetProp.c
+++ b/src/XGetProp.c
@@ -57,6 +57,7 @@ SOFTWARE.
 #include <X11/extensions/XInput.h>
 #include <X11/extensions/extutil.h>
 #include "XIint.h"
+#include <limits.h>
 
 XEventClass *
 XGetDeviceDontPropagateList(
@@ -85,10 +86,11 @@ XGetDeviceDontPropagateList(
     }
     *count = rep.count;
 
-    if (*count) {
-	list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
+    if (rep.length != 0) {
+	if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
+	    list = Xmalloc(rep.length * sizeof(XEventClass));
 	if (list) {
-	    int i;
+	    unsigned int i;
 	    CARD32 ec;
 
 	    /* read and assign each XEventClass separately because
-- 
1.7.7.1