From ad156a716a324ee60362c8ba66a5ed8c835c219b Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 12 Apr 2013 23:36:13 -0700
Subject: integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]

The CARD32 rep.num_types needs to be bounds checked before multiplying
by sizeof(XResType) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/XRes.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/XRes.c b/src/XRes.c
index 5117321..ff21dd4 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -186,7 +186,12 @@ Status XResQueryClientResources (
     }
 
     if(rep.num_types) {
-        if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
+        if (rep.num_types < (INT_MAX / sizeof(XResType)))
+            typs = Xmalloc(sizeof(XResType) * rep.num_types);
+        else
+            typs = NULL;
+
+        if (typs != NULL) {
             xXResType scratch;
             int i;
 
-- 
cgit v1.2.1