summaryrefslogtreecommitdiff
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 23:08:21 (GMT)
committer Alan Coopersmith <alan.coopersmith@oracle.com>2013-05-10 01:59:53 (GMT)
commit833f6b70bc789d33607f6dbfee9e0a4178ec4b59 (patch) (side-by-side diff)
treec2e4d0c2461d78f95cd82ac980d44f03fb5e2d98
parent79d8dc08eb98842173ce239b9dd60df0e9e9ae72 (diff)
downloadlibX11-833f6b70bc789d33607f6dbfee9e0a4178ec4b59.zip
libX11-833f6b70bc789d33607f6dbfee9e0a4178ec4b59.tar.gz
integer overflow in XGetImage() [CVE-2013-1981 11/13]
Ensure that we don't underallocate when the server claims to have sent a very large reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Diffstat (more/less context) (ignore whitespace changes)
-rw-r--r--src/GetImage.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/src/GetImage.c b/src/GetImage.c
index e8f1b03..c461abc 100644
--- a/src/GetImage.c
+++ b/src/GetImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include <X11/Xutil.h> /* for XDestroyImage */
#include "ImUtil.h"
+#include <limits.h>
#define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad))
@@ -56,7 +57,7 @@ XImage *XGetImage (
xGetImageReply rep;
register xGetImageReq *req;
char *data;
- long nbytes;
+ unsigned long nbytes;
XImage *image;
LockDisplay(dpy);
GetReq (GetImage, req);
@@ -78,10 +79,13 @@ XImage *XGetImage (
return (XImage *)NULL;
}
- nbytes = (long)rep.length << 2;
- data = (char *) Xmalloc((unsigned) nbytes);
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = (unsigned long)rep.length << 2;
+ data = Xmalloc(nbytes);
+ } else
+ data = NULL;
if (! data) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (XImage *) NULL;