aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/X11
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-08 22:25:35 -0800
committerUlrich Sibiller <uli42@gmx.de>2016-10-12 09:34:38 +0200
commit361d36770ba3ceef0272e53c59c169f16f16ecf6 (patch)
tree1b0765771257b613cca09318275cb4edd4521bbd /nx-X11/lib/X11
parent25172302a39c4e0c90dffbdcfa88b99ac442a2f9 (diff)
downloadnx-libs-361d36770ba3ceef0272e53c59c169f16f16ecf6.tar.gz
nx-libs-361d36770ba3ceef0272e53c59c169f16f16ecf6.tar.bz2
nx-libs-361d36770ba3ceef0272e53c59c169f16f16ecf6.zip
integer overflow in XGetWindowProperty() [CVE-2013-1981 10/13]
If the reported number of properties is too large, the calculations to allocate memory for them may overflow, leaving us returning less memory to the caller than implied by the value written to *nitems. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11/lib/X11')
-rw-r--r--nx-X11/lib/X11/GetProp.c25
1 files changed, 16 insertions, 9 deletions
diff --git a/nx-X11/lib/X11/GetProp.c b/nx-X11/lib/X11/GetProp.c
index a80c19c50..a9c357d69 100644
--- a/nx-X11/lib/X11/GetProp.c
+++ b/nx-X11/lib/X11/GetProp.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
int
XGetWindowProperty(
@@ -66,8 +67,17 @@ XGetWindowProperty(
*prop = (unsigned char *) NULL;
if (reply.propertyType != None) {
- long nbytes, netbytes;
- switch (reply.format) {
+ unsigned long nbytes, netbytes;
+ int format = reply.format;
+
+ /*
+ * Protect against both integer overflow and just plain oversized
+ * memory allocation - no server should ever return this many props.
+ */
+ if (reply.nItems >= (INT_MAX >> 4))
+ format = -1; /* fall through to default error case */
+
+ switch (format) {
/*
* One extra byte is malloced than is needed to contain the property
* data, but this last byte is null terminated and convenient for
@@ -76,24 +86,21 @@ XGetWindowProperty(
*/
case 8:
nbytes = netbytes = reply.nItems;
- if (nbytes + 1 > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
+ if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XReadPad (dpy, (char *) *prop, netbytes);
break;
case 16:
nbytes = reply.nItems * sizeof (short);
netbytes = reply.nItems << 1;
- if (nbytes + 1 > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
+ if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XRead16Pad (dpy, (short *) *prop, netbytes);
break;
case 32:
nbytes = reply.nItems * sizeof (long);
netbytes = reply.nItems << 2;
- if (nbytes + 1 > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
+ if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XRead32 (dpy, (long *) *prop, netbytes);
break;
@@ -115,7 +122,7 @@ XGetWindowProperty(
break;
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) netbytes);
+ _XEatDataWords(dpy, reply.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc); /* not Success */