integer overflow in ReadInFile() in Xrm.c [CVE-2013-1981 7/13]

Called from XrmGetFileDatabase() which gets called from InitDefaults() which gets the filename from getenv ("XENVIRONMENT") If file is exactly 0xffffffff bytes long (or longer and truncates to 0xffffffff, on implementations where off_t is larger than an int), then size may be set to a value which overflows causing less memory to be allocated than is written to by the following read() call. size is left limited to an int, because if your Xresources file is larger than 2gb, you're very definitely doing it wrong. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

integer overflow in ReadInFile() in Xrm.c [CVE-2013-1981 7/13]
00d7a2e5 · Alan Coopersmith · Ulrich Sibiller · 0349af11 · 00d7a2e5
Commit 00d7a2e5 authored Mar 01, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

XrmI.h nx-X11/lib/X11/XrmI.h +3 -1

No files found.
--- a/nx-X11/lib/X11/XrmI.h
+++ b/nx-X11/lib/X11/XrmI.h
@@ -35,11 +35,13 @@ from The Open Group.
 #include	<nx-X11/Xos.h>
 #include        <sys/stat.h>
+#include        <limits.h>
 #define GetSizeOfFile(fd,size)                      \
 {                                                   \
    struct stat status_buffer;                      \
-    if ( (fstat((fd), &status_buffer)) == -1 )      \
+    if ( ((fstat((fd), &status_buffer)) == -1 ) ||  \
+         (status_buffer.st_size >= INT_MAX) )       \
 	size = -1;                                  \
    else                                            \
 	size = status_buffer.st_size;               \