aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/X11/GetPntMap.c
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 15:08:21 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:38 +0200
commit748af521e9e8d82b8f32d5efe73fa7ad3eebaf71 (patch)
treea7ce71dc048b88f056d4d36c0109fb345d169ef6 /nx-X11/lib/X11/GetPntMap.c
parent9501bce22ee691b8de707e6b8ffdbd7e7e71058c (diff)
downloadnx-libs-748af521e9e8d82b8f32d5efe73fa7ad3eebaf71.tar.gz
nx-libs-748af521e9e8d82b8f32d5efe73fa7ad3eebaf71.tar.bz2
nx-libs-748af521e9e8d82b8f32d5efe73fa7ad3eebaf71.zip
integer overflow in XGetPointerMapping() & XGetKeyboardMapping() [CVE-2013-1981 12/13]
Ensure that we don't underallocate when the server claims a very large reply Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11/lib/X11/GetPntMap.c')
-rw-r--r--nx-X11/lib/X11/GetPntMap.c31
1 files changed, 20 insertions, 11 deletions
diff --git a/nx-X11/lib/X11/GetPntMap.c b/nx-X11/lib/X11/GetPntMap.c
index 0fcdb6696..29fdf21f0 100644
--- a/nx-X11/lib/X11/GetPntMap.c
+++ b/nx-X11/lib/X11/GetPntMap.c
@@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
#ifdef MIN /* some systems define this in <sys/param.h> */
#undef MIN
@@ -42,7 +43,7 @@ int XGetPointerMapping (
{
unsigned char mapping[256]; /* known fixed size */
- long nbytes, remainder = 0;
+ unsigned long nbytes, remainder = 0;
xGetPointerMappingReply rep;
register xReq *req;
@@ -54,9 +55,15 @@ int XGetPointerMapping (
return 0;
}
- nbytes = (long)rep.length << 2;
-
/* Don't count on the server returning a valid value */
+ if (rep.length >= (INT_MAX >> 2)) {
+ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return 0;
+ }
+
+ nbytes = (unsigned long) rep.length << 2;
if (nbytes > sizeof mapping) {
remainder = nbytes - sizeof mapping;
nbytes = sizeof mapping;
@@ -69,7 +76,7 @@ int XGetPointerMapping (
}
if (remainder)
- _XEatData(dpy, (unsigned long)remainder);
+ _XEatData(dpy, remainder);
UnlockDisplay(dpy);
SyncHandle();
@@ -86,8 +93,8 @@ XGetKeyboardMapping (Display *dpy,
int count,
int *keysyms_per_keycode)
{
- long nbytes;
- unsigned long nkeysyms;
+ unsigned long nbytes;
+ CARD32 nkeysyms;
register KeySym *mapping = NULL;
xGetKeyboardMappingReply rep;
register xGetKeyboardMappingReq *req;
@@ -102,17 +109,19 @@ XGetKeyboardMapping (Display *dpy,
return (KeySym *) NULL;
}
- nkeysyms = (unsigned long) rep.length;
+ nkeysyms = rep.length;
if (nkeysyms > 0) {
- nbytes = nkeysyms * sizeof (KeySym);
- mapping = (KeySym *) Xmalloc ((unsigned) nbytes);
- nbytes = nkeysyms << 2;
+ if (nkeysyms < (INT_MAX / sizeof (KeySym))) {
+ nbytes = nkeysyms * sizeof (KeySym);
+ mapping = Xmalloc (nbytes);
+ }
if (! mapping) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (KeySym *) NULL;
}
+ nbytes = nkeysyms << 2;
_XRead32 (dpy, (long *) mapping, nbytes);
}
*keysyms_per_keycode = rep.keySymsPerKeyCode;