summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 20:49:43 -0700
committerXavier Bachelot <xavier@bachelot.org>2013-05-22 20:16:19 +0200
commit68bf50ce4903ec93da59cea78e063ed7c3882d3e (patch)
tree2027998464588d8577d19baa6bca2e4aa1be9731
parent50cef9490c6a128613c5b9f3f19ef2e803088983 (diff)
integer overflow in uniDRIOpenConnection() in libchromeXvMC* [CVE-2013-1994 1/2]
busIdStringLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/xvmc/xf86dri.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c
index 1feb232..fba7583 100644
--- a/src/xvmc/xf86dri.c
+++ b/src/xvmc/xf86dri.c
@@ -42,6 +42,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -203,7 +204,11 @@ uniDRIOpenConnection(dpy, screen, hSAREA, busIdString)
}
#endif
if (rep.length) {
- if (!(*busIdString = (char *)Xcalloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();