integer overflow in XResQueryClients() [CVE-2013-1988 1/2]

The CARD32 rep.num_clients needs to be bounds checked before multiplying by sizeof(XResClient) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-12 23:36:13 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-06 23:22:42 -0700
commit: b053d215b80e721f9afdc5794e4f3f4f2aee0141 (patch)
tree: 389c998b5b3de31c34b36370490a2d6a90d8ae93
parent: 69457711050ac3a53859ef11790a7ac815cd7d94 (diff)
download: xorg-lib-libXRes-b053d215b80e721f9afdc5794e4f3f4f2aee0141.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/src/XRes.c b/src/XRes.c
index 1ab1db8..c989985 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -130,7 +130,12 @@ Status XResQueryClients (
     }
 
     if(rep.num_clients) {
-        if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
+        if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
+            clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
+        else
+            clnts = NULL;
+
+        if (clnts != NULL) {
             xXResClient scratch;
             int i;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-12 23:36:13 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-06 23:22:42 -0700
commit	b053d215b80e721f9afdc5794e4f3f4f2aee0141 (patch)
tree	389c998b5b3de31c34b36370490a2d6a90d8ae93
parent	69457711050ac3a53859ef11790a7ac815cd7d94 (diff)
download	xorg-lib-libXRes-b053d215b80e721f9afdc5794e4f3f4f2aee0141.tar.gz