diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 15:08:21 -0800 |
---|---|---|
committer | Ulrich Sibiller <uli42@gmx.de> | 2016-10-12 09:34:38 +0200 |
commit | 9501bce22ee691b8de707e6b8ffdbd7e7e71058c (patch) | |
tree | 9db26feec70d67802af360dc02c313e5865e66b5 /nx-X11 | |
parent | 361d36770ba3ceef0272e53c59c169f16f16ecf6 (diff) | |
download | nx-libs-9501bce22ee691b8de707e6b8ffdbd7e7e71058c.tar.gz nx-libs-9501bce22ee691b8de707e6b8ffdbd7e7e71058c.tar.bz2 nx-libs-9501bce22ee691b8de707e6b8ffdbd7e7e71058c.zip |
integer overflow in XGetImage() [CVE-2013-1981 11/13]
Ensure that we don't underallocate when the server claims to have sent a
very large reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
Diffstat (limited to 'nx-X11')
-rw-r--r-- | nx-X11/lib/X11/GetImage.c | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/nx-X11/lib/X11/GetImage.c b/nx-X11/lib/X11/GetImage.c index ddd434a81..59fb45eb1 100644 --- a/nx-X11/lib/X11/GetImage.c +++ b/nx-X11/lib/X11/GetImage.c @@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group. #include "Xlibint.h" #include <nx-X11/Xutil.h> /* for XDestroyImage */ #include "ImUtil.h" +#include <limits.h> #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad)) @@ -56,7 +57,7 @@ XImage *XGetImage ( xGetImageReply rep; register xGetImageReq *req; char *data; - long nbytes; + unsigned long nbytes; XImage *image; LockDisplay(dpy); GetReq (GetImage, req); @@ -78,10 +79,13 @@ XImage *XGetImage ( return (XImage *)NULL; } - nbytes = (long)rep.length << 2; - data = (char *) Xmalloc((unsigned) nbytes); + if (rep.length < (INT_MAX >> 2)) { + nbytes = (unsigned long)rep.length << 2; + data = Xmalloc(nbytes); + } else + data = NULL; if (! data) { - _XEatData(dpy, (unsigned long) nbytes); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); return (XImage *) NULL; |