From f468184963e53feda848853c4aefd0197b2cc116 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 12 Apr 2013 23:36:13 -0700 Subject: [PATCH 4/4] integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2] The CARD32 rep.num_types needs to be bounds checked before multiplying by sizeof(XResType) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XRes.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/XRes.c b/src/XRes.c index c989985..51e905f 100644 --- a/src/XRes.c +++ b/src/XRes.c @@ -187,7 +187,12 @@ Status XResQueryClientResources ( } if(rep.num_types) { - if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) { + if (rep.num_types < (INT_MAX / sizeof(XResType))) + typs = Xmalloc(sizeof(XResType) * rep.num_types); + else + typs = NULL; + + if (typs != NULL) { xXResType scratch; int i; -- 1.8.2.3