aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch
blob: f879c5b116592981c742fbd5b230b3e826ea5820 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 14:43:48 -0700
Subject: [PATCH 8/8] avoid integer overflow in XF86VidModeGetModeLine()

rep.privsize is a CARD32 and needs to be bounds checked before multiplying
by sizeof(INT32) to come up with the total size to allocate & read to avoid
integer overflow, though it would not result in buffer overflow as the same
calculation was used for both allocation & reading from the network.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/XF86VMode.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index a32564e..fb94816 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
     }
 
     if (modeline->privsize > 0) {
-	modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+	if (modeline->privsize < (INT_MAX / sizeof(INT32)))
+	    modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+	else
+	    modeline->private = NULL;
 	if (modeline->private == NULL) {
 	    _XEatDataWords(dpy, rep.length -
 		((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
-- 
1.8.2.3