integer overflow in XGetMotionEvents() [CVE-2013-1981 4/13]

If the reported number of motion events is too large, the calculations to allocate memory for them may overflow, leaving us writing beyond the bounds of the allocation. v2: Ensure nEvents is set to 0 when returning NULL events pointer Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

integer overflow in XGetMotionEvents() [CVE-2013-1981 4/13]
7d18bbe9 · Alan Coopersmith · Ulrich Sibiller · 29779559 · 7d18bbe9
Commit 7d18bbe9 authored Mar 01, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 15 deletions

GetMoEv.c nx-X11/lib/X11/GetMoEv.c +11 -15

No files found.
--- a/nx-X11/lib/X11/GetMoEv.c
+++ b/nx-X11/lib/X11/GetMoEv.c
@@ -28,6 +28,7 @@ in this Software without prior written authorization from The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
+#include <limits.h>
 XTimeCoord *XGetMotionEvents(
    register Display *dpy,
@@ -39,7 +40,6 @@ XTimeCoord *XGetMotionEvents(
    xGetMotionEventsReply rep;
    register xGetMotionEventsReq *req;
    XTimeCoord *tc = NULL;
-    long nbytes;
    LockDisplay(dpy);
    GetReq(GetMotionEvents, req);
    req->window = w;
@@ -52,26 +52,22 @@ XTimeCoord *XGetMotionEvents(
 	return (NULL);
 	}
-    if (rep.nEvents) {
+    if (rep.nEvents && (rep.nEvents < (INT_MAX / sizeof(XTimeCoord))))
-	if (! (tc = (XTimeCoord *)
+	tc = Xmalloc(rep.nEvents * sizeof(XTimeCoord));
-	       Xmalloc( (unsigned)
+    if (tc == NULL) {
-		       (nbytes = (long) rep.nEvents * sizeof(XTimeCoord))))) {
+	/* server returned either no events or a bad event count */
-	    _XEatData (dpy, (unsigned long) nbytes);
+	*nEvents = 0;
-	    UnlockDisplay(dpy);
+	_XEatDataWords (dpy, rep.length);
-	    SyncHandle();
-	    return (NULL);
    }
-    }
+    else
-    *nEvents = rep.nEvents;
-    nbytes = SIZEOF (xTimecoord);
    {
 	register XTimeCoord *tcptr;
-	register int i;
+	unsigned int i;
 	xTimecoord xtc;
+	*nEvents = (int) rep.nEvents;
 	for (i = rep.nEvents, tcptr = tc; i > 0; i--, tcptr++) {
-	    _XRead (dpy, (char *) &xtc, nbytes);
+	    _XRead (dpy, (char *) &xtc, SIZEOF (xTimecoord));
 	    tcptr->time = xtc.time;
 	    tcptr->x    = cvtINT16toShort (xtc.x);
 	    tcptr->y    = cvtINT16toShort (xtc.y);