avoid integer overflow in XF86VidModeGetModeLine()

rep.privsize is a CARD32 and needs to be bounds checked before multiplying by sizeof(INT32) to come up with the total size to allocate & read to avoid integer overflow, though it would not result in buffer overflow as the same calculation was used for both allocation & reading from the network. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 14:43:48 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-26 19:32:20 -0700
commit: 4c4123441e40da97acd10f58911193ad3dcef5cd (patch)
tree: ecfe2891b005f45f65a943000d0fb7e0b4287b2d
parent: 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 (diff)
1 files changed, 4 insertions, 1 deletions
diff --git a/src/XF86VMode.c b/src/XF86VMode.c
index a32564e..fb94816 100644
--- a/src/XF86VMode.c
+++ b/src/XF86VMode.c
@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
     }
 
     if (modeline->privsize > 0) {
-	modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+	if (modeline->privsize < (INT_MAX / sizeof(INT32)))
+	    modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+	else
+	    modeline->private = NULL;
 	if (modeline->private == NULL) {
 	    _XEatDataWords(dpy, rep.length -
 		((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 14:43:48 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-26 19:32:20 -0700
commit	4c4123441e40da97acd10f58911193ad3dcef5cd (patch)
tree	ecfe2891b005f45f65a943000d0fb7e0b4287b2d
parent	47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 (diff)