aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 15:08:21 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:38 +0200
commit306ca006a54c5f74a6fe90eb794efa06ff33b259 (patch)
treee4751964c117a2b4f83db62ec4b5197c04586e76
parent748af521e9e8d82b8f32d5efe73fa7ad3eebaf71 (diff)
downloadnx-libs-306ca006a54c5f74a6fe90eb794efa06ff33b259.tar.gz
nx-libs-306ca006a54c5f74a6fe90eb794efa06ff33b259.tar.bz2
nx-libs-306ca006a54c5f74a6fe90eb794efa06ff33b259.zip
integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]
Ensure that we don't underallocate when the server claims a very large reply Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/ModMap.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/nx-X11/lib/X11/ModMap.c b/nx-X11/lib/X11/ModMap.c
index c99bfdd5f..122ca80db 100644
--- a/nx-X11/lib/X11/ModMap.c
+++ b/nx-X11/lib/X11/ModMap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
XModifierKeymap *
XGetModifierMapping(register Display *dpy)
@@ -41,13 +42,17 @@ XGetModifierMapping(register Display *dpy)
GetEmptyReq(GetModifierMapping, req);
(void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
- nbytes = (unsigned long)rep.length << 2;
- res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap));
- if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes);
+ if (rep.length < (LONG_MAX >> 2)) {
+ nbytes = (unsigned long)rep.length << 2;
+ res = Xmalloc(sizeof (XModifierKeymap));
+ if (res)
+ res->modifiermap = Xmalloc (nbytes);
+ } else
+ res = NULL;
if ((! res) || (! res->modifiermap)) {
if (res) Xfree((char *) res);
res = (XModifierKeymap *) NULL;
- _XEatData(dpy, nbytes);
+ _XEatDataWords(dpy, rep.length);
} else {
_XReadPad(dpy, (char *) res->modifiermap, (long) nbytes);
res->max_keypermod = rep.numKeyPerModifier;