From e111065f6dd790c820fa67ea31055b18c68481e3 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 26 Apr 2013 23:59:25 -0700
Subject: [PATCH 5/5] integer overflows in XpQueryScreens() [CVE-2013-2062 3/3]

listCount is a CARD32 that needs to be bounds checked before it is
multiplied by the size of the pointers to allocate, to avoid integer
overflow leading to underallocation and writing data from the network
past the end of the allocated buffer.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/XpScreens.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/src/XpScreens.c b/src/XpScreens.c
index 815dfbf..b31e554 100644
--- a/src/XpScreens.c
+++ b/src/XpScreens.c
@@ -42,6 +42,7 @@
 #include <X11/extensions/Printstr.h>
 #include <X11/Xlibint.h>
 #include "XpExtUtil.h"
+#include <limits.h>
 
 
 Screen **
@@ -82,19 +83,17 @@ XpQueryScreens (
     *list_count = rep.listCount;
 
     if (*list_count) {
-	scr_list = (Screen **)
-		   Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) );
+	if (rep.listCount < (INT_MAX / sizeof(Screen *)))
+	    scr_list = Xmalloc(sizeof(Screen *) * *list_count);
+	else
+	    scr_list = NULL;
 
 	if (!scr_list) {
-            UnlockDisplay(dpy);
-            SyncHandle();
-            return ( (Screen **) NULL ); /* malloc error */
+	    _XEatDataWords(dpy, rep.length);
+	    goto out;
 	}
 	i = 0;
 	while(i < *list_count){
-	    /*
-	     * Pull printer length and then name.
-	     */
 	    _XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) );
 	    scr_list[i] = NULL;
 	    for ( j = 0; j < XScreenCount(dpy); j++ ) {
@@ -118,6 +117,7 @@ XpQueryScreens (
 	scr_list = (Screen **) NULL;
     }
 
+  out:
     UnlockDisplay(dpy);
     SyncHandle();
 
-- 
1.8.2.3