integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]

The CARD32 rep.num_types needs to be bounds checked before multiplying by sizeof(XResType) to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-12 23:36:13 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-07 18:47:48 -0700
commit: ad156a716a324ee60362c8ba66a5ed8c835c219b (patch)
tree: 0476b56af382c69f2403ea681af218fe5e40d91c
parent: 3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2 (diff)
1 files changed, 6 insertions, 1 deletions
diff --git a/src/XRes.c b/src/XRes.c
index 5117321..ff21dd4 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -186,7 +186,12 @@ Status XResQueryClientResources (
     }
 
     if(rep.num_types) {
-        if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
+        if (rep.num_types < (INT_MAX / sizeof(XResType)))
+            typs = Xmalloc(sizeof(XResType) * rep.num_types);
+        else
+            typs = NULL;
+
+        if (typs != NULL) {
             xXResType scratch;
             int i;
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-12 23:36:13 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-07 18:47:48 -0700
commit	ad156a716a324ee60362c8ba66a5ed8c835c219b (patch)
tree	0476b56af382c69f2403ea681af218fe5e40d91c
parent	3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2 (diff)