summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-09 14:40:33 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-02 18:34:27 -0700
commit6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2 (patch)
tree002a7bfda5287c0767472be66e2fab1246b28952
parent67ecdcf7e29de9fa78b421122620525ed2c7db88 (diff)
integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6]
If the number of rectangles reported by the server is large enough that it overflows when multiplied by the size of the appropriate struct, then memory corruption can occur when more bytes are read from the X server than the size of the buffer we allocated to hold them. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/XShape.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/src/XShape.c b/src/XShape.c
index 3987876..d025020 100644
--- a/src/XShape.c
+++ b/src/XShape.c
@@ -35,6 +35,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/extutil.h>
#include <X11/extensions/shape.h>
#include <X11/extensions/shapeproto.h>
+#include <limits.h>
#include "eat.h"
static XExtensionInfo _shape_info_data;
@@ -443,7 +444,7 @@ XRectangle *XShapeGetRectangles (
xShapeGetRectanglesReply rep;
XRectangle *rects;
xRectangle *xrects;
- int i;
+ unsigned int i;
ShapeCheckExtension (dpy, info, (XRectangle *)NULL);
@@ -461,20 +462,23 @@ XRectangle *XShapeGetRectangles (
*count = rep.nrects;
*ordering = rep.ordering;
rects = NULL;
- if (*count) {
- xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle));
- rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle));
+ if (rep.nrects) {
+ if (rep.nrects < (INT_MAX / sizeof (XRectangle))) {
+ xrects = Xmalloc (rep.nrects * sizeof (xRectangle));
+ rects = Xmalloc (rep.nrects * sizeof (XRectangle));
+ } else {
+ xrects = NULL;
+ rects = NULL;
+ }
if (!xrects || !rects) {
- if (xrects)
- Xfree (xrects);
- if (rects)
- Xfree (rects);
+ Xfree (xrects);
+ Xfree (rects);
_XEatDataWords (dpy, rep.length);
rects = NULL;
*count = 0;
} else {
- _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle));
- for (i = 0; i < *count; i++) {
+ _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle));
+ for (i = 0; i < rep.nrects; i++) {
rects[i].x = (short) cvtINT16toInt (xrects[i].x);
rects[i].y = (short) cvtINT16toInt (xrects[i].y);
rects[i].width = xrects[i].width;