From cce662bb80060b6e45d32186d9bbdccf8ea1172d Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 00:22:14 -0800
Subject: [PATCH 14/16] Avoid integer overflow in XListInputDevices()
 [CVE-2013-1984 8/8]

If the length of the reply as reported by the Xserver is too long, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit ef82512288d8ca36ac0beeb289f158195b0a8cae)
(cherry picked from commit f888a17af24945e2b583625c7d85ebed1518fc05)
---
 src/XListDev.c |   10 ++++++----
 1 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/XListDev.c b/src/XListDev.c
index ad8f548..d8abddb 100644
--- a/src/XListDev.c
+++ b/src/XListDev.c
@@ -57,6 +57,7 @@ SOFTWARE.
 #include <X11/extensions/XInput.h>
 #include <X11/extensions/extutil.h>
 #include "XIint.h"
+#include <limits.h>
 
 static int
 SizeClassInfo(xAnyClassPtr *any, int num_classes)
@@ -164,7 +165,7 @@ XListInputDevices(
     XAnyClassPtr Any;
     char *nptr, *Nptr;
     int i;
-    long rlen;
+    unsigned long rlen;
     XExtDisplayInfo *info = XInput_find_display(dpy);
 
     LockDisplay(dpy);
@@ -183,9 +184,10 @@ XListInputDevices(
 
     if ((*ndevices = rep.ndevices)) {	/* at least 1 input device */
 	size = *ndevices * sizeof(XDeviceInfo);
-	rlen = rep.length << 2;	/* multiply length by 4    */
-	list = (xDeviceInfo *) Xmalloc(rlen);
-	slist = list;
+	if (rep.length < (INT_MAX >> 2)) {
+	    rlen = rep.length << 2;	/* multiply length by 4    */
+	    slist = list = Xmalloc(rlen);
+	}
 	if (!slist) {
 	    _XEatDataWords(dpy, rep.length);
 	    UnlockDisplay(dpy);
-- 
1.7.7.1