summaryrefslogtreecommitdiffstats
path: root/main/libxrender/CVE-2013-1987-3.patch
blob: 92e35d773e8ac12a77883cd51a196742da617710 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 06:02:11 +0000
Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]

The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
diff --git a/src/Xrender.c b/src/Xrender.c
index a62c753..3102eb2 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display			*dpy,
     xRenderQueryPictIndexValuesReq	*req;
     xRenderQueryPictIndexValuesReply	rep;
     XIndexValue				*values;
-    int					nbytes, nread, rlength, i;
+    unsigned int			nbytes, nread, rlength, i;
 
     RenderCheckExtension (dpy, info, NULL);
 
@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display			*dpy,
 	return NULL;
     }
 
-    /* request data length */
-    nbytes = (long)rep.length << 2;
-    /* bytes of actual data in the request */
-    nread = rep.numIndexValues * SIZEOF (xIndexValue);
-    /* size of array returned to application */
-    rlength = rep.numIndexValues * sizeof (XIndexValue);
+    if ((rep.length < (INT_MAX >> 2)) &&
+	(rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
+	/* request data length */
+	nbytes = rep.length << 2;
+	/* bytes of actual data in the request */
+	nread = rep.numIndexValues * SIZEOF (xIndexValue);
+	/* size of array returned to application */
+	rlength = rep.numIndexValues * sizeof (XIndexValue);
+
+	/* allocate returned data */
+	values = Xmalloc (rlength);
+    } else {
+	nbytes = nread = rlength = 0;
+	values = NULL;
+    }
 
-    /* allocate returned data */
-    values = (XIndexValue *)Xmalloc (rlength);
     if (!values)
     {
 	_XEatDataWords (dpy, rep.length);
--
cgit v0.9.0.2-2-gbebe