diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 20:49:43 -0700 |
---|---|---|
committer | Xavier Bachelot <xavier@bachelot.org> | 2013-05-22 20:16:19 +0200 |
commit | 68bf50ce4903ec93da59cea78e063ed7c3882d3e (patch) | |
tree | 2027998464588d8577d19baa6bca2e4aa1be9731 | |
parent | 50cef9490c6a128613c5b9f3f19ef2e803088983 (diff) |
integer overflow in uniDRIOpenConnection() in libchromeXvMC* [CVE-2013-1994 1/2]
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | src/xvmc/xf86dri.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c index 1feb232..fba7583 100644 --- a/src/xvmc/xf86dri.c +++ b/src/xvmc/xf86dri.c @@ -42,6 +42,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> #include "xf86dristr.h" +#include <limits.h> static XExtensionInfo _xf86dri_info_data; static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; @@ -203,7 +204,11 @@ uniDRIOpenConnection(dpy, screen, hSAREA, busIdString) } #endif if (rep.length) { - if (!(*busIdString = (char *)Xcalloc(rep.busIdStringLength + 1, 1))) { + if (rep.busIdStringLength < INT_MAX) + *busIdString = Xcalloc(rep.busIdStringLength + 1, 1); + else + *busIdString = NULL; + if (*busIdString == NULL) { _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); |