diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 15:08:21 -0800 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:38 +0200 |
commit | 306ca006a54c5f74a6fe90eb794efa06ff33b259 (patch) | |
tree | e4751964c117a2b4f83db62ec4b5197c04586e76 | |
parent | 748af521e9e8d82b8f32d5efe73fa7ad3eebaf71 (diff) | |
download | nx-libs-306ca006a54c5f74a6fe90eb794efa06ff33b259.tar.gz nx-libs-306ca006a54c5f74a6fe90eb794efa06ff33b259.tar.bz2 nx-libs-306ca006a54c5f74a6fe90eb794efa06ff33b259.zip |
integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]
Ensure that we don't underallocate when the server claims a very large reply
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r-- | nx-X11/lib/X11/ModMap.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/nx-X11/lib/X11/ModMap.c b/nx-X11/lib/X11/ModMap.c index c99bfdd5f..122ca80db 100644 --- a/nx-X11/lib/X11/ModMap.c +++ b/nx-X11/lib/X11/ModMap.c @@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group. #include <config.h> #endif #include "Xlibint.h" +#include <limits.h> XModifierKeymap * XGetModifierMapping(register Display *dpy) @@ -41,13 +42,17 @@ XGetModifierMapping(register Display *dpy) GetEmptyReq(GetModifierMapping, req); (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); - nbytes = (unsigned long)rep.length << 2; - res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap)); - if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes); + if (rep.length < (LONG_MAX >> 2)) { + nbytes = (unsigned long)rep.length << 2; + res = Xmalloc(sizeof (XModifierKeymap)); + if (res) + res->modifiermap = Xmalloc (nbytes); + } else + res = NULL; if ((! res) || (! res->modifiermap)) { if (res) Xfree((char *) res); res = (XModifierKeymap *) NULL; - _XEatData(dpy, nbytes); + _XEatDataWords(dpy, rep.length); } else { _XReadPad(dpy, (char *) res->modifiermap, (long) nbytes); res->max_keypermod = rep.numKeyPerModifier; |