From 306ca006a54c5f74a6fe90eb794efa06ff33b259 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 15:08:21 -0800
Subject: integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]

Ensure that we don't underallocate when the server claims a very large reply

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/ModMap.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/nx-X11/lib/X11/ModMap.c b/nx-X11/lib/X11/ModMap.c
index c99bfdd5f..122ca80db 100644
--- a/nx-X11/lib/X11/ModMap.c
+++ b/nx-X11/lib/X11/ModMap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
+#include <limits.h>
 
 XModifierKeymap *
 XGetModifierMapping(register Display *dpy)
@@ -41,13 +42,17 @@ XGetModifierMapping(register Display *dpy)
     GetEmptyReq(GetModifierMapping, req);
     (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
 
-    nbytes = (unsigned long)rep.length << 2;
-    res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap));
-    if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes);
+    if (rep.length < (LONG_MAX >> 2)) {
+	nbytes = (unsigned long)rep.length << 2;
+	res = Xmalloc(sizeof (XModifierKeymap));
+	if (res)
+	    res->modifiermap = Xmalloc (nbytes);
+    } else
+	res = NULL;
     if ((! res) || (! res->modifiermap)) {
 	if (res) Xfree((char *) res);
 	res = (XModifierKeymap *) NULL;
-	_XEatData(dpy, nbytes);
+	_XEatDataWords(dpy, rep.length);
     } else {
 	_XReadPad(dpy, (char *) res->modifiermap, (long) nbytes);
 	res->max_keypermod = rep.numKeyPerModifier;
-- 
cgit v1.2.3