integer truncation in _XimParseStringFile() [CVE-2013-1981 8/13]

Called from _XimCreateDefaultTree() which uses getenv("XCOMPOSEFILE")
to specify filename.

If the size of off_t is larger than the size of unsigned long (as in
32-bit builds with large file flags), a file larger than 4 gigs could
have its size truncated, leading to data from that file being written
past the end of the undersized buffer allocated for it.

While configure.ac does not use AC_SYS_LARGEFILE to set large file mode,
builders may have added the large file compilation flags to CFLAGS on
their own.

size is left limited to an int, because if your Xim file is
larger than 2gb, you're doing it wrong.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

1 files changed, 3 insertions, 0 deletions

diff --git a/nx-X11/lib/X11/imLcPrs.c b/nx-X11/lib/X11/imLcPrs.c
index 549fe523a..5b9a2844e 100644
--- a/nx-X11/lib/X11/imLcPrs.c
+++ b/nx-X11/lib/X11/imLcPrs.c
@@ -41,6 +41,7 @@ OR PERFORMANCE OF THIS SOFTWARE.
 #include "Ximint.h"
 #include <sys/stat.h>
 #include <stdio.h>
+#include <limits.h>
 
 #define XLC_BUFSIZE 256
 
@@ -674,6 +675,8 @@ _XimParseStringFile(
 
     if (fstat (fileno (fp), &st) != -1) {
 	unsigned long size = (unsigned long) st.st_size;
+	if (st.st_size >= INT_MAX)
+	    return;
 	if (size <= sizeof tb) tbp = tb;
 	else tbp = malloc (size);