diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 15:08:21 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:53 -0700 |
commit | a351b8103b2ba78882e1c309e85893ca3abe2073 (patch) | |
tree | 6f0865c00bbd6e799ba73c0b1c961943ca6e52f8 | |
parent | 833f6b70bc789d33607f6dbfee9e0a4178ec4b59 (diff) |
integer overflow in XGetPointerMapping() & XGetKeyboardMapping() [CVE-2013-1981 12/13]
Ensure that we don't underallocate when the server claims a very large reply
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/GetPntMap.c | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/src/GetPntMap.c b/src/GetPntMap.c index 0fcdb669..29fdf21f 100644 --- a/src/GetPntMap.c +++ b/src/GetPntMap.c @@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> #ifdef MIN /* some systems define this in <sys/param.h> */ #undef MIN @@ -42,7 +43,7 @@ int XGetPointerMapping ( { unsigned char mapping[256]; /* known fixed size */ - long nbytes, remainder = 0; + unsigned long nbytes, remainder = 0; xGetPointerMappingReply rep; register xReq *req; @@ -54,9 +55,15 @@ int XGetPointerMapping ( return 0; } - nbytes = (long)rep.length << 2; - /* Don't count on the server returning a valid value */ + if (rep.length >= (INT_MAX >> 2)) { + _XEatDataWords(dpy, rep.length); + UnlockDisplay(dpy); + SyncHandle(); + return 0; + } + + nbytes = (unsigned long) rep.length << 2; if (nbytes > sizeof mapping) { remainder = nbytes - sizeof mapping; nbytes = sizeof mapping; @@ -69,7 +76,7 @@ int XGetPointerMapping ( } if (remainder) - _XEatData(dpy, (unsigned long)remainder); + _XEatData(dpy, remainder); UnlockDisplay(dpy); SyncHandle(); @@ -86,8 +93,8 @@ XGetKeyboardMapping (Display *dpy, int count, int *keysyms_per_keycode) { - long nbytes; - unsigned long nkeysyms; + unsigned long nbytes; + CARD32 nkeysyms; register KeySym *mapping = NULL; xGetKeyboardMappingReply rep; register xGetKeyboardMappingReq *req; @@ -102,17 +109,19 @@ XGetKeyboardMapping (Display *dpy, return (KeySym *) NULL; } - nkeysyms = (unsigned long) rep.length; + nkeysyms = rep.length; if (nkeysyms > 0) { - nbytes = nkeysyms * sizeof (KeySym); - mapping = (KeySym *) Xmalloc ((unsigned) nbytes); - nbytes = nkeysyms << 2; + if (nkeysyms < (INT_MAX / sizeof (KeySym))) { + nbytes = nkeysyms * sizeof (KeySym); + mapping = Xmalloc (nbytes); + } if (! mapping) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (KeySym *) NULL; } + nbytes = nkeysyms << 2; _XRead32 (dpy, (long *) mapping, nbytes); } *keysyms_per_keycode = rep.keySymsPerKeyCode; |