From 00d7a2e5ba30ded2d3d9ecc696bf324586a380b0 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 1 Mar 2013 18:37:37 -0800
Subject: integer overflow in ReadInFile() in Xrm.c [CVE-2013-1981 7/13]

Called from XrmGetFileDatabase() which gets called from InitDefaults()
which gets the filename from getenv ("XENVIRONMENT")

If file is exactly 0xffffffff bytes long (or longer and truncates to
0xffffffff, on implementations where off_t is larger than an int),
then size may be set to a value which overflows causing less memory
to be allocated than is written to by the following read() call.

size is left limited to an int, because if your Xresources file is
larger than 2gb, you're very definitely doing it wrong.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/XrmI.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/nx-X11/lib/X11/XrmI.h b/nx-X11/lib/X11/XrmI.h
index a1615f4e5..63ed257ed 100644
--- a/nx-X11/lib/X11/XrmI.h
+++ b/nx-X11/lib/X11/XrmI.h
@@ -35,11 +35,13 @@ from The Open Group.
 
 #include	<nx-X11/Xos.h>
 #include        <sys/stat.h>
+#include        <limits.h>
 
 #define GetSizeOfFile(fd,size)                      \
 {                                                   \
     struct stat status_buffer;                      \
-    if ( (fstat((fd), &status_buffer)) == -1 )      \
+    if ( ((fstat((fd), &status_buffer)) == -1 ) ||  \
+         (status_buffer.st_size >= INT_MAX) )       \
 	size = -1;                                  \
     else                                            \
 	size = status_buffer.st_size;               \
-- 
cgit v1.2.3