summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-13 10:24:08 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-03 23:54:16 -0700
commitc480fe3271873ec7471b0cbd680f4dac18ca8904 (patch)
tree705d4675da377371a3663e9d8f8302f35d4485d8
parentb031e3b60fa1af9e49449f23d4a84395868be3ab (diff)
integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
If the reported cursor dimensions or name length are too large, the calculations to allocate memory for them may overflow, leaving us writing beyond the bounds of the allocation. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/Cursor.c30
1 files changed, 18 insertions, 12 deletions
diff --git a/src/Cursor.c b/src/Cursor.c
index 641b747..33590b7 100644
--- a/src/Cursor.c
+++ b/src/Cursor.c
@@ -47,6 +47,7 @@
#include <config.h>
#endif
#include "Xfixesint.h"
+#include <limits.h>
void
XFixesSelectCursorInput (Display *dpy,
@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy)
XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
xXFixesGetCursorImageAndNameReq *req;
xXFixesGetCursorImageAndNameReply rep;
- int npixels;
- int nbytes_name;
- int nbytes, nread, rlength;
+ size_t npixels;
+ size_t nbytes_name;
+ size_t nbytes, nread, rlength;
XFixesCursorImage *image;
char *name;
@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy)
}
npixels = rep.width * rep.height;
nbytes_name = rep.nbytes;
- /* reply data length */
- nbytes = (long) rep.length << 2;
- /* bytes of actual data in the reply */
- nread = (npixels << 2) + nbytes_name;
- /* size of data returned to application */
- rlength = (sizeof (XFixesCursorImage) +
- npixels * sizeof (unsigned long) +
- nbytes_name + 1);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1)
+ - nbytes_name)) {
+ /* reply data length */
+ nbytes = (size_t) rep.length << 2;
+ /* bytes of actual data in the reply */
+ nread = (npixels << 2) + nbytes_name;
+ /* size of data returned to application */
+ rlength = (sizeof (XFixesCursorImage) +
+ npixels * sizeof (unsigned long) +
+ nbytes_name + 1);
- image = (XFixesCursorImage *) Xmalloc (rlength);
+ image = Xmalloc (rlength);
+ } else
+ image = NULL;
if (!image)
{
_XEatDataWords(dpy, rep.length);