From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 26 Apr 2013 23:59:25 -0700 Subject: [PATCH 3/5] integer overflow in XpGetAttributes & XpGetOneAttribute [CVE-2013-2062 1/3] stringLen & valueLen are CARD32s and need to be bounds checked before adding one to them to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Signed-off-by: Alan Coopersmith --- src/XpAttr.c | 36 +++++++++++++++++++----------------- 1 file changed, 19 insertions(+), 17 deletions(-) diff --git a/src/XpAttr.c b/src/XpAttr.c index 6818daf..665e2e8 100644 --- a/src/XpAttr.c +++ b/src/XpAttr.c @@ -48,6 +48,7 @@ #include #include +#include char * XpGetAttributes ( @@ -83,17 +84,18 @@ XpGetAttributes ( /* * Read pool and return to caller. */ - buf = Xmalloc( (unsigned) rep.stringLen + 1 ); + if (rep.stringLen < INT_MAX) + buf = Xmalloc(rep.stringLen + 1); + else + buf = NULL; if (!buf) { - UnlockDisplay(dpy); - SyncHandle(); - return( (char *) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + } + else { + _XReadPad (dpy, (char *) buf, rep.stringLen ); + buf[rep.stringLen] = 0; } - - _XReadPad (dpy, (char *) buf, (long) rep.stringLen ); - - buf[rep.stringLen] = 0; UnlockDisplay(dpy); SyncHandle(); @@ -144,18 +146,18 @@ XpGetOneAttribute ( /* * Read variable answer. */ - buf = Xmalloc( (unsigned) rep.valueLen + 1 ); + if (rep.valueLen < INT_MAX) + buf = Xmalloc(rep.valueLen + 1); + else + buf = NULL; if (!buf) { - UnlockDisplay(dpy); - SyncHandle(); - return( (char *) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + } + else { + _XReadPad (dpy, (char *) buf, rep.valueLen); + buf[rep.valueLen] = 0; } - - buf[rep.valueLen] = 0; - - _XReadPad (dpy, (char *) buf, (long) rep.valueLen ); - buf[rep.valueLen] = 0; UnlockDisplay(dpy); SyncHandle(); -- 1.8.2.3