integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]

The CARD32 rep.num_types needs to be bounds checked before multiplying by sizeof(XResType) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-12 23:36:13 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-06 23:22:42 -0700
commit: f468184963e53feda848853c4aefd0197b2cc116 (patch)
tree: 745478e960334e728fddccbc3582a5b60d6d7d34
parent: b053d215b80e721f9afdc5794e4f3f4f2aee0141 (diff)
download: xorg-lib-libXRes-f468184963e53feda848853c4aefd0197b2cc116.tar.gz
1 files changed, 6 insertions, 1 deletions
diff --git a/src/XRes.c b/src/XRes.c
index c989985..51e905f 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -187,7 +187,12 @@ Status XResQueryClientResources (
     }
 
     if(rep.num_types) {
-        if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
+        if (rep.num_types < (INT_MAX / sizeof(XResType)))
+            typs = Xmalloc(sizeof(XResType) * rep.num_types);
+        else
+            typs = NULL;
+
+        if (typs != NULL) {
             xXResType scratch;
             int i;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-12 23:36:13 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-06 23:22:42 -0700
commit	f468184963e53feda848853c4aefd0197b2cc116 (patch)
tree	745478e960334e728fddccbc3582a5b60d6d7d34
parent	b053d215b80e721f9afdc5794e4f3f4f2aee0141 (diff)
download	xorg-lib-libXRes-f468184963e53feda848853c4aefd0197b2cc116.tar.gz