integer overflow in uniDRIGetClientDriverName() in libchromeXvMC* [CVE-2013-1994 2/2]

clientDriverNameLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 20:57:07 -0700
committer: Xavier Bachelot <xavier@bachelot.org> 2013-05-22 20:16:19 +0200
commit: db309e3cd87a1279e8b592a692390755c528de4f (patch)
tree: 96c99d1d9d2487888ca136714fe25bec9438e821
parent: 68bf50ce4903ec93da59cea78e063ed7c3882d3e (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c
index fba7583..c5702ec 100644
--- a/src/xvmc/xf86dri.c
+++ b/src/xvmc/xf86dri.c
@@ -314,8 +314,11 @@ uniDRIGetClientDriverName(dpy, screen, ddxDriverMajorVersion,
     *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
 
     if (rep.length) {
-	if (!(*clientDriverName =
-		(char *)Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+	if (rep.clientDriverNameLength < INT_MAX)
+	    *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+	else
+	    *clientDriverName = NULL;
+	if (*clientDriverName == NULL) {
 	    _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
 	    UnlockDisplay(dpy);
 	    SyncHandle();
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 20:57:07 -0700
committer	Xavier Bachelot <xavier@bachelot.org>	2013-05-22 20:16:19 +0200
commit	db309e3cd87a1279e8b592a692390755c528de4f (patch)
tree	96c99d1d9d2487888ca136714fe25bec9438e821
parent	68bf50ce4903ec93da59cea78e063ed7c3882d3e (diff)