From 5074d9d64192bd04519a438062b7d5bf216d06ee Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 13:48:28 -0800 Subject: integer overflow in DMXGetInputAttributes() [CVE-2013-1992 3/3] If the server provided nameLength causes integer overflow when padding length is added, a smaller buffer would be allocated than the amount of data written to it. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/dmx.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/src/dmx.c b/src/dmx.c index 67434c8..d097062 100644 --- a/src/dmx.c +++ b/src/dmx.c @@ -723,6 +723,7 @@ Bool DMXGetInputAttributes(Display *dpy, int id, DMXInputAttributes *inf) xDMXGetInputAttributesReply rep; xDMXGetInputAttributesReq *req; char *buffer; + Bool ret = False; DMXCheckExtension(dpy, info, False); @@ -737,6 +738,16 @@ Bool DMXGetInputAttributes(Display *dpy, int id, DMXInputAttributes *inf) return False; } + if (rep.nameLength < 1024) + buffer = Xmalloc(rep.nameLength + 1 + 4 /* for pad */); + else + buffer = NULL; /* name length is unbelievable, reject */ + + if (buffer == NULL) { + _XEatDataWords(dpy, rep.length); + goto end; + } + switch (rep.inputType) { case 0: inf->inputType = DMXLocalInputType; break; case 1: inf->inputType = DMXConsoleInputType; break; @@ -748,13 +759,14 @@ Bool DMXGetInputAttributes(Display *dpy, int id, DMXInputAttributes *inf) inf->isCore = rep.isCore; inf->sendsCore = rep.sendsCore; inf->detached = rep.detached; - buffer = Xmalloc(rep.nameLength + 1 + 4 /* for pad */); _XReadPad(dpy, buffer, rep.nameLength); buffer[rep.nameLength] = '\0'; inf->name = buffer; + ret = True; + end: UnlockDisplay(dpy); SyncHandle(); - return True; + return ret; } /** Add input. */ -- cgit v1.2.1