integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]

Ensure that we don't underallocate when the server claims a very large reply Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

integer overflow in XGetModifierMapping() [CVE-2013-1981 13/13]
306ca006 · Alan Coopersmith · Ulrich Sibiller · 748af521 · 306ca006
Commit 306ca006 authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 4 deletions

ModMap.c nx-X11/lib/X11/ModMap.c +9 -4

No files found.
--- a/nx-X11/lib/X11/ModMap.c
+++ b/nx-X11/lib/X11/ModMap.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
+#include <limits.h>

 XModifierKeymap *
 XGetModifierMapping(register Display *dpy)
@@ -41,13 +42,17 @@ XGetModifierMapping(register Display *dpy)
    GetEmptyReq(GetModifierMapping, req);
    (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);

-    nbytes = (unsigned long)rep.length << 2;
-    res = (XModifierKeymap *) Xmalloc(sizeof (XModifierKeymap));
-    if (res) res->modifiermap = (KeyCode *) Xmalloc ((unsigned) nbytes);
+    if (rep.length < (LONG_MAX >> 2)) {
+	nbytes = (unsigned long)rep.length << 2;
+	res = Xmalloc(sizeof (XModifierKeymap));
+	if (res)
+	    res->modifiermap = Xmalloc (nbytes);
+    } else
+	res = NULL;
    if ((! res) || (! res->modifiermap)) {
 	if (res) Xfree((char *) res);
 	res = (XModifierKeymap *) NULL;
-	_XEatData(dpy, nbytes);
+	_XEatDataWords(dpy, rep.length);
    } else {
 	_XReadPad(dpy, (char *) res->modifiermap, (long) nbytes);
 	res->max_keypermod = rep.numKeyPerModifier;