From 748af521e9e8d82b8f32d5efe73fa7ad3eebaf71 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 2 Mar 2013 15:08:21 -0800
Subject: integer overflow in XGetPointerMapping() & XGetKeyboardMapping()
 [CVE-2013-1981 12/13]

Ensure that we don't underallocate when the server claims a very large reply

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>
---
 nx-X11/lib/X11/GetPntMap.c | 31 ++++++++++++++++++++-----------
 1 file changed, 20 insertions(+), 11 deletions(-)

(limited to 'nx-X11/lib/X11/GetPntMap.c')

diff --git a/nx-X11/lib/X11/GetPntMap.c b/nx-X11/lib/X11/GetPntMap.c
index 0fcdb6696..29fdf21f0 100644
--- a/nx-X11/lib/X11/GetPntMap.c
+++ b/nx-X11/lib/X11/GetPntMap.c
@@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
+#include <limits.h>
 
 #ifdef MIN		/* some systems define this in <sys/param.h> */
 #undef MIN
@@ -42,7 +43,7 @@ int XGetPointerMapping (
 
 {
     unsigned char mapping[256];	/* known fixed size */
-    long nbytes, remainder = 0;
+    unsigned long nbytes, remainder = 0;
     xGetPointerMappingReply rep;
     register xReq *req;
 
@@ -54,9 +55,15 @@ int XGetPointerMapping (
 	return 0;
     }
 
-    nbytes = (long)rep.length << 2;
-
     /* Don't count on the server returning a valid value */
+    if (rep.length >= (INT_MAX >> 2)) {
+	_XEatDataWords(dpy, rep.length);
+	UnlockDisplay(dpy);
+	SyncHandle();
+	return 0;
+    }
+
+    nbytes = (unsigned long) rep.length << 2;
     if (nbytes > sizeof mapping) {
 	remainder = nbytes - sizeof mapping;
 	nbytes = sizeof mapping;
@@ -69,7 +76,7 @@ int XGetPointerMapping (
 	}
 
     if (remainder)
-	_XEatData(dpy, (unsigned long)remainder);
+	_XEatData(dpy, remainder);
 
     UnlockDisplay(dpy);
     SyncHandle();
@@ -86,8 +93,8 @@ XGetKeyboardMapping (Display *dpy,
 			     int count,
 			     int *keysyms_per_keycode)
 {
-    long nbytes;
-    unsigned long nkeysyms;
+    unsigned long nbytes;
+    CARD32 nkeysyms;
     register KeySym *mapping = NULL;
     xGetKeyboardMappingReply rep;
     register xGetKeyboardMappingReq *req;
@@ -102,17 +109,19 @@ XGetKeyboardMapping (Display *dpy,
 	return (KeySym *) NULL;
     }
 
-    nkeysyms = (unsigned long) rep.length;
+    nkeysyms = rep.length;
     if (nkeysyms > 0) {
-	nbytes = nkeysyms * sizeof (KeySym);
-	mapping = (KeySym *) Xmalloc ((unsigned) nbytes);
-	nbytes = nkeysyms << 2;
+	if (nkeysyms < (INT_MAX / sizeof (KeySym))) {
+	    nbytes = nkeysyms * sizeof (KeySym);
+	    mapping = Xmalloc (nbytes);
+	}
 	if (! mapping) {
-	    _XEatData(dpy, (unsigned long) nbytes);
+	    _XEatDataWords(dpy, rep.length);
 	    UnlockDisplay(dpy);
 	    SyncHandle();
 	    return (KeySym *) NULL;
 	}
+	nbytes = nkeysyms << 2;
 	_XRead32 (dpy, (long *) mapping, nbytes);
     }
     *keysyms_per_keycode = rep.keySymsPerKeyCode;
-- 
cgit v1.2.3