From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:53:49 -0700
Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer()

rep.length is a CARD32 and should be bounds checked before left shifting
to come up with the size to allocate and read from the network, though
since both functions take the same size, there should be no way for the
buffer to be overflowed in this case.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/XF86DGA2.c | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 4d13677..9c656e6 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
 	return False;
     }
 
-    if(rep.length) {
-	deviceName = Xmalloc(rep.length << 2);
-	_XRead(dpy, deviceName, rep.length << 2);
+    if (rep.length) {
+	if (rep.length < (INT_MAX >> 2)) {
+	    unsigned long size = rep.length << 2;
+	    deviceName = Xmalloc(size);
+	    _XRead(dpy, deviceName, size);
+	    deviceName[size - 1] = '\0';
+	} else
+	    _XEatDataWords(dpy, rep.length);
     }
 
     ret = XDGAMapFramebuffer(screen, deviceName,
-- 
1.8.2.3