summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-01 18:37:37 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-09 18:59:52 -0700
commit076428918e6c35f66b9b55c3fa097ff06496d155 (patch)
tree223ce1e7659aef753e639c657c9f5096edff23a3
parent90fd5abac2faca86f9f100353a3c9c7b89f31484 (diff)
integer overflow in ReadInFile() in Xrm.c [CVE-2013-1981 7/13]
Called from XrmGetFileDatabase() which gets called from InitDefaults() which gets the filename from getenv ("XENVIRONMENT") If file is exactly 0xffffffff bytes long (or longer and truncates to 0xffffffff, on implementations where off_t is larger than an int), then size may be set to a value which overflows causing less memory to be allocated than is written to by the following read() call. size is left limited to an int, because if your Xresources file is larger than 2gb, you're very definitely doing it wrong. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r--src/Xrm.c6
1 files changed, 4 insertions, 2 deletions
diff --git a/src/Xrm.c b/src/Xrm.c
index d6899d97..3e29ab0f 100644
--- a/src/Xrm.c
+++ b/src/Xrm.c
@@ -62,6 +62,7 @@ from The Open Group.
#endif
#include <X11/Xos.h>
#include <sys/stat.h>
+#include <limits.h>
#include "Xresinternal.h"
#include "Xresource.h"
@@ -1594,11 +1595,12 @@ ReadInFile(_Xconst char *filename)
*/
{
struct stat status_buffer;
- if ( (fstat(fd, &status_buffer)) == -1 ) {
+ if ( ((fstat(fd, &status_buffer)) == -1 ) ||
+ (status_buffer.st_size >= INT_MAX) ) {
close (fd);
return (char *)NULL;
} else
- size = status_buffer.st_size;
+ size = (int) status_buffer.st_size;
}
if (!(filebuf = Xmalloc(size + 1))) { /* leave room for '\0' */