summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-12 23:36:13 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-06 23:22:42 -0700
commitb053d215b80e721f9afdc5794e4f3f4f2aee0141 (patch)
tree389c998b5b3de31c34b36370490a2d6a90d8ae93 /src
parent69457711050ac3a53859ef11790a7ac815cd7d94 (diff)
downloadxorg-lib-libXRes-b053d215b80e721f9afdc5794e4f3f4f2aee0141.tar.gz
integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
The CARD32 rep.num_clients needs to be bounds checked before multiplying by sizeof(XResClient) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Diffstat (limited to 'src')
-rw-r--r--src/XRes.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/XRes.c b/src/XRes.c
index 1ab1db8..c989985 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -130,7 +130,12 @@ Status XResQueryClients (
}
if(rep.num_clients) {
- if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
+ if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
+ clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
+ else
+ clnts = NULL;
+
+ if (clnts != NULL) {
xXResClient scratch;
int i;