integer overflow in XGetImage() [CVE-2013-1981 11/13]

Ensure that we don't underallocate when the server claims to have sent a
very large reply.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>

1 files changed, 8 insertions, 4 deletions

diff --git a/src/GetImage.c b/src/GetImage.c
index e8f1b030..c461abc0 100644
--- a/src/GetImage.c
+++ b/src/GetImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include "Xlibint.h"
 #include <X11/Xutil.h>          /* for XDestroyImage */
 #include "ImUtil.h"
+#include <limits.h>
 
 #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad))
 
@@ -56,7 +57,7 @@ XImage *XGetImage (
         xGetImageReply rep;
         register xGetImageReq *req;
         char *data;
-        long nbytes;
+        unsigned long nbytes;
         XImage *image;
         LockDisplay(dpy);
         GetReq (GetImage, req);
@@ -78,10 +79,13 @@ XImage *XGetImage (
                 return (XImage *)NULL;
         }
 
-        nbytes = (long)rep.length << 2;
-        data = (char *) Xmalloc((unsigned) nbytes);
+        if (rep.length < (INT_MAX >> 2)) {
+            nbytes = (unsigned long)rep.length << 2;
+            data = Xmalloc(nbytes);
+        } else
+            data = NULL;
         if (! data) {
-            _XEatData(dpy, (unsigned long) nbytes);
+            _XEatDataWords(dpy, rep.length);
             UnlockDisplay(dpy);
             SyncHandle();
             return (XImage *) NULL;