From 2712383813b26475dc6713888414d842be57f8ca Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 00:50:02 -0700 Subject: integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 1/2] rep.num is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/XvMC.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/XvMC.c') diff --git a/src/XvMC.c b/src/XvMC.c index b3e97ec..5d8c2cf 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num) } if(rep.num > 0) { - surface_info = - (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); + if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo))) + surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); if(surface_info) { xvmcSurfaceInfo sinfo; -- cgit v1.2.3