summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 15:08:21 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-09 18:59:53 -0700
commita351b8103b2ba78882e1c309e85893ca3abe2073 (patch)
tree6f0865c00bbd6e799ba73c0b1c961943ca6e52f8
parent833f6b70bc789d33607f6dbfee9e0a4178ec4b59 (diff)
integer overflow in XGetPointerMapping() & XGetKeyboardMapping() [CVE-2013-1981 12/13]
Ensure that we don't underallocate when the server claims a very large reply Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r--src/GetPntMap.c31
1 files changed, 20 insertions, 11 deletions
diff --git a/src/GetPntMap.c b/src/GetPntMap.c
index 0fcdb669..29fdf21f 100644
--- a/src/GetPntMap.c
+++ b/src/GetPntMap.c
@@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#ifdef MIN /* some systems define this in <sys/param.h> */
#undef MIN
@@ -42,7 +43,7 @@ int XGetPointerMapping (
{
unsigned char mapping[256]; /* known fixed size */
- long nbytes, remainder = 0;
+ unsigned long nbytes, remainder = 0;
xGetPointerMappingReply rep;
register xReq *req;
@@ -54,9 +55,15 @@ int XGetPointerMapping (
return 0;
}
- nbytes = (long)rep.length << 2;
-
/* Don't count on the server returning a valid value */
+ if (rep.length >= (INT_MAX >> 2)) {
+ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+ }
+
+ nbytes = (unsigned long) rep.length << 2;
if (nbytes > sizeof mapping) {
remainder = nbytes - sizeof mapping;
nbytes = sizeof mapping;
@@ -69,7 +76,7 @@ int XGetPointerMapping (
}
if (remainder)
- _XEatData(dpy, (unsigned long)remainder);
+ _XEatData(dpy, remainder);
UnlockDisplay(dpy);
SyncHandle();
@@ -86,8 +93,8 @@ XGetKeyboardMapping (Display *dpy,
int count,
int *keysyms_per_keycode)
{
- long nbytes;
- unsigned long nkeysyms;
+ unsigned long nbytes;
+ CARD32 nkeysyms;
register KeySym *mapping = NULL;
xGetKeyboardMappingReply rep;
register xGetKeyboardMappingReq *req;
@@ -102,17 +109,19 @@ XGetKeyboardMapping (Display *dpy,
return (KeySym *) NULL;
}
- nkeysyms = (unsigned long) rep.length;
+ nkeysyms = rep.length;
if (nkeysyms > 0) {
- nbytes = nkeysyms * sizeof (KeySym);
- mapping = (KeySym *) Xmalloc ((unsigned) nbytes);
- nbytes = nkeysyms << 2;
+ if (nkeysyms < (INT_MAX / sizeof (KeySym))) {
+ nbytes = nkeysyms * sizeof (KeySym);
+ mapping = Xmalloc (nbytes);
+ }
if (! mapping) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (KeySym *) NULL;
}
+ nbytes = nkeysyms << 2;
_XRead32 (dpy, (long *) mapping, nbytes);
}
*keysyms_per_keycode = rep.keySymsPerKeyCode;