integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]

rep.length is a CARD32 and needs to be bounds checked before bit shifting
and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
to avoid integer overflow or underflow leading to underallocation and
writing data from the network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 9 insertions, 4 deletions

diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index b5145ee..90ca918 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -405,12 +405,15 @@ XDGASetMode(
     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
 	if(rep.length) {
 	   xXDGAModeInfo info;
-	   int size;
+	   unsigned long size;
 
-	   size = rep.length << 2;
-	   size -= sz_xXDGAModeInfo; /* get text size */
+	   if ((rep.length < (INT_MAX >> 2)) &&
+	       (rep.length > (sz_xXDGAModeInfo >> 2))) {
+	       size = rep.length << 2;
+	       size -= sz_xXDGAModeInfo; /* get text size */
 
-	   dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
+	       dev = Xmalloc(sizeof(XDGADevice) + size);
+	   }
 
 	   if(dev) {
 		_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
@@ -451,6 +454,8 @@ XDGASetMode(
 		    dev->data += rep.offset;
 	   }
 	   /* not sure what to do if the allocation fails */
+	   else
+	       _XEatDataWords(dpy, rep.length);
 	}
     }