integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]

num_formats is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvImageFormatValues) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 00:03:03 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-07 14:04:18 -0700
commit: 59301c1b5095f7dc6359d5b396dbbcdee7038270 (patch)
tree: 8638a40c1ca8bae4a3b99ebf9556eb63c83ccd34 /src
parent: 15ab7dec17d686c38f2c82ac23a17cac5622322a (diff)
1 files changed, 3 insertions, 2 deletions
diff --git a/src/Xv.c b/src/Xv.c
index f9813eb..0a07d9d 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
   }
 
   if(rep.num_formats) {
-      int size = (rep.num_formats * sizeof(XvImageFormatValues));
+      if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
+	  ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
 
-      if((ret = Xmalloc(size))) {
+      if (ret != NULL) {
 	  xvImageFormatInfo Info;
 	  int i;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 00:03:03 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-07 14:04:18 -0700
commit	59301c1b5095f7dc6359d5b396dbbcdee7038270 (patch)
tree	8638a40c1ca8bae4a3b99ebf9556eb63c83ccd34 /src
parent	15ab7dec17d686c38f2c82ac23a17cac5622322a (diff)