diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-26 23:59:25 -0700 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-07 14:02:01 -0700 |
commit | babb1fc823ab3be192c48fe115feeb0d57f74d05 (patch) | |
tree | f48a61a673e893262cfcd4346dcfe0a3a1c0ea51 | |
parent | 15ec6d1d0bb8c4cb24a190ed34e63312a0623670 (diff) |
integer overflow in XpGetAttributes & XpGetOneAttribute [CVE-2013-2062 1/3]
stringLen & valueLen are CARD32s and need to be bounds checked before adding
one to them to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r-- | src/XpAttr.c | 36 |
1 files changed, 19 insertions, 17 deletions
diff --git a/src/XpAttr.c b/src/XpAttr.c index 6818daf..665e2e8 100644 --- a/src/XpAttr.c +++ b/src/XpAttr.c @@ -48,6 +48,7 @@ #include <stdio.h> #include <sys/stat.h> +#include <limits.h> char * XpGetAttributes ( @@ -83,17 +84,18 @@ XpGetAttributes ( /* * Read pool and return to caller. */ - buf = Xmalloc( (unsigned) rep.stringLen + 1 ); + if (rep.stringLen < INT_MAX) + buf = Xmalloc(rep.stringLen + 1); + else + buf = NULL; if (!buf) { - UnlockDisplay(dpy); - SyncHandle(); - return( (char *) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + } + else { + _XReadPad (dpy, (char *) buf, rep.stringLen ); + buf[rep.stringLen] = 0; } - - _XReadPad (dpy, (char *) buf, (long) rep.stringLen ); - - buf[rep.stringLen] = 0; UnlockDisplay(dpy); SyncHandle(); @@ -144,18 +146,18 @@ XpGetOneAttribute ( /* * Read variable answer. */ - buf = Xmalloc( (unsigned) rep.valueLen + 1 ); + if (rep.valueLen < INT_MAX) + buf = Xmalloc(rep.valueLen + 1); + else + buf = NULL; if (!buf) { - UnlockDisplay(dpy); - SyncHandle(); - return( (char *) NULL ); /* malloc error */ + _XEatDataWords(dpy, rep.length); + } + else { + _XReadPad (dpy, (char *) buf, rep.valueLen); + buf[rep.valueLen] = 0; } - - buf[rep.valueLen] = 0; - - _XReadPad (dpy, (char *) buf, (long) rep.valueLen ); - buf[rep.valueLen] = 0; UnlockDisplay(dpy); SyncHandle(); |