diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-12 23:36:13 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-07 18:47:48 -0700 |
commit | ad156a716a324ee60362c8ba66a5ed8c835c219b (patch) | |
tree | 0476b56af382c69f2403ea681af218fe5e40d91c | |
parent | 3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2 (diff) |
integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]
The CARD32 rep.num_types needs to be bounds checked before multiplying
by sizeof(XResType) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | src/XRes.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -186,7 +186,12 @@ Status XResQueryClientResources ( } if(rep.num_types) { - if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) { + if (rep.num_types < (INT_MAX / sizeof(XResType))) + typs = Xmalloc(sizeof(XResType) * rep.num_types); + else + typs = NULL; + + if (typs != NULL) { xXResType scratch; int i; |