fdo-mirrors/xorg-libx11
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/lib/libx11.git synced 2026-05-07 05:08:03 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

integer overflow in XGetWindowProperty() [CVE-2013-1981 10/13]

Browse source 
If the reported number of properties is too large, the calculations
to allocate memory for them may overflow, leaving us returning less
memory to the caller than implied by the value written to *nitems.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
This commit is contained in:
Alan Coopersmith 2013-03-08 22:25:35 -08:00
parent 164bf4dfe8
commit 79d8dc08eb
1 changed files with 16 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
src/GetProp.c
View file

@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
#include <limits.h>
int
XGetWindowProperty(
@ -66,8 +67,17 @@ XGetWindowProperty(
*prop = (unsigned char *) NULL;
if (reply.propertyType != None) {
long nbytes, netbytes;
switch (reply.format) {
unsigned long nbytes, netbytes;
int format = reply.format;
/*
* Protect against both integer overflow and just plain oversized
* memory allocation - no server should ever return this many props.
*/
if (reply.nItems >= (INT_MAX >> 4))
format = -1; /* fall through to default error case */
switch (format) {
/*
* One extra byte is malloced than is needed to contain the property
* data, but this last byte is null terminated and convenient for
@ -76,24 +86,21 @@ XGetWindowProperty(
*/
case 8:
nbytes = netbytes = reply.nItems;
if (nbytes + 1 > 0 &&
(*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XReadPad (dpy, (char *) *prop, netbytes);
break;
case 16:
nbytes = reply.nItems * sizeof (short);
netbytes = reply.nItems << 1;
if (nbytes + 1 > 0 &&
(*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XRead16Pad (dpy, (short *) *prop, netbytes);
break;
case 32:
nbytes = reply.nItems * sizeof (long);
netbytes = reply.nItems << 2;
if (nbytes + 1 > 0 &&
(*prop = (unsigned char *) Xmalloc ((unsigned)nbytes + 1)))
if (nbytes + 1 > 0 && (*prop = Xmalloc (nbytes + 1)))
_XRead32 (dpy, (long *) *prop, netbytes);
break;
@ -115,7 +122,7 @@ XGetWindowProperty(
break;
}
if (! *prop) {
_XEatData(dpy, (unsigned long) netbytes);
_XEatDataWords(dpy, reply.length);
UnlockDisplay(dpy);
SyncHandle();
return(BadAlloc); /* not Success */