From 1da5b838c2a8565d4d95a4e948f951ce6b466345 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 12 Apr 2013 21:44:59 -0700
Subject: [PATCH 4/7] integer overflow in XRRQueryProviderProperty()
 [CVE-2013-1986 2/4]

Same problem as XRRQueryOutputProperty() that it was cloned from

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/XrrProviderProperty.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
index 2d90a0a..dc699f6 100644
--- a/src/XrrProviderProperty.c
+++ b/src/XrrProviderProperty.c
@@ -31,6 +31,7 @@
 #include <X11/extensions/render.h>
 #include <X11/extensions/Xrender.h>
 #include "Xrandrint.h"
+#include <limits.h>
 
 Atom *
 XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
     XExtDisplayInfo		*info = XRRFindDisplay(dpy);
     xRRQueryProviderPropertyReply rep;
     xRRQueryProviderPropertyReq	*req;
-    int				rbytes, nbytes;
+    unsigned int		rbytes, nbytes;
     XRRPropertyInfo		*prop_info;
 
     RRCheckExtension (dpy, info, NULL);
@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
 	return NULL;
     }
 
-    rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
-    nbytes = rep.length << 2;
+    if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
+        rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
+        nbytes = rep.length << 2;
+
+        prop_info = Xmalloc (rbytes);
+    } else
+        prop_info = NULL;
 
-    prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
     if (prop_info == NULL) {
 	_XEatDataWords (dpy, rep.length);
 	UnlockDisplay (dpy);
-- 
1.8.2.3