summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-01 22:49:01 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-09 18:59:50 -0700
commit2cd62b5eb99ffbb2fce99f3c459455e630b35bf7 (patch)
tree82d25a979eb4c4b5b79f7b5525a9147cbbf4bdfb
parent1f6a3dbf699b85c0ea715ef21de7e7095a714e12 (diff)
integer overflow in XListHosts() [CVE-2013-1981 5/13]
If the reported number of host entries is too large, the calculations to allocate memory for them may overflow, leaving us writing beyond the bounds of the allocation. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r--src/LiHosts.c22
1 files changed, 15 insertions, 7 deletions
diff --git a/src/LiHosts.c b/src/LiHosts.c
index 0f5e837d..83cf3c79 100644
--- a/src/LiHosts.c
+++ b/src/LiHosts.c
@@ -62,6 +62,8 @@ X Window System is a trademark of The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
+
/*
* can be freed using XFree.
*/
@@ -73,7 +75,6 @@ XHostAddress *XListHosts (
{
register XHostAddress *outbuf = NULL, *op;
xListHostsReply reply;
- long nbytes;
unsigned char *buf, *bp;
register unsigned i;
register xListHostsReq *req;
@@ -90,19 +91,26 @@ XHostAddress *XListHosts (
}
if (reply.nHosts) {
- nbytes = reply.length << 2; /* compute number of bytes in reply */
+ unsigned long nbytes = reply.length << 2; /* number of bytes in reply */
+ const unsigned long max_hosts = INT_MAX /
+ (sizeof(XHostAddress) + sizeof(XServerInterpretedAddress));
+
+ if (reply.nHosts < max_hosts) {
+ unsigned long hostbytes = reply.nHosts *
+ (sizeof(XHostAddress) + sizeof(XServerInterpretedAddress));
- op = outbuf = (XHostAddress *)
- Xmalloc((unsigned) (nbytes +
- (reply.nHosts * sizeof(XHostAddress)) +
- (reply.nHosts * sizeof(XServerInterpretedAddress))));
+ if (reply.length < (INT_MAX >> 2) &&
+ (hostbytes >> 2) < ((INT_MAX >> 2) - reply.length))
+ outbuf = Xmalloc(nbytes + hostbytes);
+ }
if (! outbuf) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, reply.length);
UnlockDisplay(dpy);
SyncHandle();
return (XHostAddress *) NULL;
}
+ op = outbuf;
sip = (XServerInterpretedAddress *)
(((unsigned char *) outbuf) + (reply.nHosts * sizeof(XHostAddress)));
bp = buf = ((unsigned char *) sip)