1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
|
From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 06:02:11 +0000
Subject: integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
diff --git a/src/Xrender.c b/src/Xrender.c
index 5c8e5f5..a62c753 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -26,6 +26,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XRenderExtInfo XRenderExtensionInfo;
char XRenderExtensionName[] = RENDER_NAME;
@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
CARD32 *xSubpixel;
void *xData;
int nf, ns, nd, nv;
- int rlength;
- int nbytes;
+ unsigned long rlength;
+ unsigned long nbytes;
RenderCheckExtension (dpy, info, 0);
LockDisplay (dpy);
@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
if (async_state.major_version == 0 && async_state.minor_version < 6)
rep.numSubpixel = 0;
- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
- rep.numFormats * sizeof (XRenderPictFormat) +
- rep.numScreens * sizeof (XRenderScreen) +
- rep.numDepths * sizeof (XRenderDepth) +
- rep.numVisuals * sizeof (XRenderVisual));
- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
- rep.numScreens * sizeof (xPictScreen) +
- rep.numDepths * sizeof (xPictDepth) +
- rep.numVisuals * sizeof (xPictVisual) +
- rep.numSubpixel * 4);
- xData = (void *) Xmalloc (rlength);
- nbytes = (int) rep.length << 2;
+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
+ (rep.length < (INT_MAX >> 2)) ) {
+ xri = Xmalloc (sizeof (XRenderInfo) +
+ (rep.numFormats * sizeof (XRenderPictFormat)) +
+ (rep.numScreens * sizeof (XRenderScreen)) +
+ (rep.numDepths * sizeof (XRenderDepth)) +
+ (rep.numVisuals * sizeof (XRenderVisual)));
+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
+ (rep.numScreens * sizeof (xPictScreen)) +
+ (rep.numDepths * sizeof (xPictDepth)) +
+ (rep.numVisuals * sizeof (xPictVisual)) +
+ (rep.numSubpixel * 4));
+ xData = Xmalloc (rlength);
+ nbytes = (unsigned long) rep.length << 2;
+ } else {
+ xri = NULL;
+ xData = NULL;
+ rlength = nbytes = 0;
+ }
if (!xri || !xData || nbytes < rlength)
{
--
cgit v0.9.0.2-2-gbebe
|
