diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-13 20:57:07 -0700 |
---|---|---|
committer | Xavier Bachelot <xavier@bachelot.org> | 2013-05-22 20:16:19 +0200 |
commit | db309e3cd87a1279e8b592a692390755c528de4f (patch) | |
tree | 96c99d1d9d2487888ca136714fe25bec9438e821 | |
parent | 68bf50ce4903ec93da59cea78e063ed7c3882d3e (diff) |
integer overflow in uniDRIGetClientDriverName() in libchromeXvMC* [CVE-2013-1994 2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | src/xvmc/xf86dri.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c index fba7583..c5702ec 100644 --- a/src/xvmc/xf86dri.c +++ b/src/xvmc/xf86dri.c @@ -314,8 +314,11 @@ uniDRIGetClientDriverName(dpy, screen, ddxDriverMajorVersion, *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; if (rep.length) { - if (!(*clientDriverName = - (char *)Xcalloc(rep.clientDriverNameLength + 1, 1))) { + if (rep.clientDriverNameLength < INT_MAX) + *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1); + else + *clientDriverName = NULL; + if (*clientDriverName == NULL) { _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); |