diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 15:08:21 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:53 -0700 |
commit | 0b0f5d4358c3de7563d6af03f0d2ce454702a06a (patch) | |
tree | 90dca57ea7b4b7909cd92b0fd354ebe0d9204d0a | |
parent | a351b8103b2ba78882e1c309e85893ca3abe2073 (diff) |
integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]
Ensure that we don't underallocate when the server claims a very large reply
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/ModMap.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/ModMap.c b/src/ModMap.c index c99bfdd5..122ca80d 100644 --- a/src/ModMap.c +++ b/src/ModMap.c @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> XModifierKeymap * XGetModifierMapping(register Display *dpy) @@ -41,13 +42,17 @@ XGetModifierMapping(register Display *dpy) GetEmptyReq(GetModifierMapping, req); (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - nbytes = (unsigned long)rep.length << 2; - res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); - if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes); + if (rep.length < (LONG_MAX >> 2)) { + nbytes = (unsigned long)rep.length << 2; + res = Xmalloc(sizeof (XModifierKeymap)); + if (res) + res->modifiermap = Xmalloc (nbytes); + } else + res = NULL; if ((! res) || (! res->modifiermap)) { if (res) Xfree((char *) res); res = (XModifierKeymap *) NULL; - _XEatData(dpy, nbytes); + _XEatDataWords(dpy, rep.length); } else { _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes); res->max_keypermod = rep.numKeyPerModifier; |