summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-12 23:36:13 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-07 18:47:48 -0700
commitad156a716a324ee60362c8ba66a5ed8c835c219b (patch)
tree0476b56af382c69f2403ea681af218fe5e40d91c
parent3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2 (diff)
integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]
The CARD32 rep.num_types needs to be bounds checked before multiplying by sizeof(XResType) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/XRes.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/XRes.c b/src/XRes.c
index 5117321..ff21dd4 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -186,7 +186,12 @@ Status XResQueryClientResources (
}
if(rep.num_types) {
- if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
+ if (rep.num_types < (INT_MAX / sizeof(XResType)))
+ typs = Xmalloc(sizeof(XResType) * rep.num_types);
+ else
+ typs = NULL;
+
+ if (typs != NULL) {
xXResType scratch;
int i;