From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:03:03 -0700
Subject: [PATCH 4/5] integer overflow in XvListImageFormats() [CVE-2013-1989
 2/3]

num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/Xv.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/Xv.c b/src/Xv.c
index f9813eb..0a07d9d 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
   }
 
   if(rep.num_formats) {
-      int size = (rep.num_formats * sizeof(XvImageFormatValues));
+      if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
+	  ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
 
-      if((ret = Xmalloc(size))) {
+      if (ret != NULL) {
 	  xvImageFormatInfo Info;
 	  int i;
 
-- 
1.8.2.3