diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-12 23:36:13 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-06 23:22:42 -0700 |
commit | b053d215b80e721f9afdc5794e4f3f4f2aee0141 (patch) | |
tree | 389c998b5b3de31c34b36370490a2d6a90d8ae93 /src/XRes.c | |
parent | 69457711050ac3a53859ef11790a7ac815cd7d94 (diff) | |
download | xorg-lib-libXRes-b053d215b80e721f9afdc5794e4f3f4f2aee0141.tar.gz |
integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
The CARD32 rep.num_clients needs to be bounds checked before multiplying
by sizeof(XResClient) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src/XRes.c')
-rw-r--r-- | src/XRes.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -130,7 +130,12 @@ Status XResQueryClients ( } if(rep.num_clients) { - if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) { + if (rep.num_clients < (INT_MAX / sizeof(XResClient))) + clnts = Xmalloc(sizeof(XResClient) * rep.num_clients); + else + clnts = NULL; + + if (clnts != NULL) { xXResClient scratch; int i; |