summaryrefslogtreecommitdiff
path: root/src/glx
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-04-26 16:33:03 -0700
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-30 18:03:45 -0700
commit306f630e676eb901789dd09a0f30d7e7fa941ebe (patch)
tree3aa7e45fd1d42f3045343c356926c9e1cc9d0767 /src/glx
parent2e5a268f18be30df15aed0b44b01a18a37fb5df4 (diff)
integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. NOTE: This is a candidate for stable release branches. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Brian Paul <brianp@vmware.com>
Diffstat (limited to 'src/glx')
-rw-r--r--src/glx/XF86dri.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 8f53bd7195..56e3557060 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- calloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();