From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 12:18:57 -0700 Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2] number is a CARD32 and needs to be bounds checked before multiplying by sizeof(XDGAmode) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XF86DGA2.c | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index c17c7f1..8830266 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes( if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { if(rep.length) { xXDGAModeInfo info; - int i, size; + unsigned long size = 0; char *offset; - size = rep.length << 2; - size -= rep.number * sz_xXDGAModeInfo; /* find text size */ - modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size); - offset = (char*)(&modes[rep.number]); /* start of text */ - + if ((rep.length < (INT_MAX >> 2)) && + (rep.number < (INT_MAX / sizeof(XDGAMode)))) { + size = rep.length << 2; + if (size > (rep.number * sz_xXDGAModeInfo)) { + size -= rep.number * sz_xXDGAModeInfo; /* find text size */ + modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size); + offset = (char*)(&modes[rep.number]); /* start of text */ + } + } - if(modes) { + if (modes != NULL) { + unsigned int i; for(i = 0; i < rep.number; i++) { _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); -- 1.8.2.3