aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 15:08:21 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:38 +0200
commit9501bce22ee691b8de707e6b8ffdbd7e7e71058c (patch)
tree9db26feec70d67802af360dc02c313e5865e66b5
parent361d36770ba3ceef0272e53c59c169f16f16ecf6 (diff)
downloadnx-libs-9501bce22ee691b8de707e6b8ffdbd7e7e71058c.tar.gz
nx-libs-9501bce22ee691b8de707e6b8ffdbd7e7e71058c.tar.bz2
nx-libs-9501bce22ee691b8de707e6b8ffdbd7e7e71058c.zip
integer overflow in XGetImage() [CVE-2013-1981 11/13]
Ensure that we don't underallocate when the server claims to have sent a very large reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
-rw-r--r--nx-X11/lib/X11/GetImage.c12
1 files changed, 8 insertions, 4 deletions
diff --git a/nx-X11/lib/X11/GetImage.c b/nx-X11/lib/X11/GetImage.c
index ddd434a81..59fb45eb1 100644
--- a/nx-X11/lib/X11/GetImage.c
+++ b/nx-X11/lib/X11/GetImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
#include "Xlibint.h"
#include <nx-X11/Xutil.h> /* for XDestroyImage */
#include "ImUtil.h"
+#include <limits.h>
#define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad))
@@ -56,7 +57,7 @@ XImage *XGetImage (
xGetImageReply rep;
register xGetImageReq *req;
char *data;
- long nbytes;
+ unsigned long nbytes;
XImage *image;
LockDisplay(dpy);
GetReq (GetImage, req);
@@ -78,10 +79,13 @@ XImage *XGetImage (
return (XImage *)NULL;
}
- nbytes = (long)rep.length << 2;
- data = (char *) Xmalloc((unsigned) nbytes);
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = (unsigned long)rep.length << 2;
+ data = Xmalloc(nbytes);
+ } else
+ data = NULL;
if (! data) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (XImage *) NULL;