From 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 12 Apr 2013 21:44:59 -0700 Subject: [PATCH 3/7] integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4] rep.length is a CARD32, while rbytes was a signed int, so rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); could result in integer overflow, leading to an undersized malloc and reading data off the connection and writing it past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XrrProperty.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/XrrProperty.c b/src/XrrProperty.c index 2b065b2..50382bf 100644 --- a/src/XrrProperty.c +++ b/src/XrrProperty.c @@ -31,6 +31,7 @@ #include #include #include "Xrandrint.h" +#include Atom * XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) @@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) XExtDisplayInfo *info = XRRFindDisplay(dpy); xRRQueryOutputPropertyReply rep; xRRQueryOutputPropertyReq *req; - int rbytes, nbytes; + unsigned int rbytes, nbytes; XRRPropertyInfo *prop_info; RRCheckExtension (dpy, info, NULL); @@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) return NULL; } - rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); - nbytes = rep.length << 2; + if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { + rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); + nbytes = rep.length << 2; + + prop_info = Xmalloc (rbytes); + } else + prop_info = NULL; - prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); if (prop_info == NULL) { _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); -- 1.8.2.3