integer overflow in XListHosts() [CVE-2013-1981 5/13]

If the reported number of host entries is too large, the calculations to allocate memory for them may overflow, leaving us writing beyond the bounds of the allocation. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

integer overflow in XListHosts() [CVE-2013-1981 5/13]
8673bf07 · Alan Coopersmith · Ulrich Sibiller · 7d18bbe9 · 8673bf07
Commit 8673bf07 authored Mar 01, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 15 additions and 7 deletions

LiHosts.c nx-X11/lib/X11/LiHosts.c +15 -7

No files found.
--- a/nx-X11/lib/X11/LiHosts.c
+++ b/nx-X11/lib/X11/LiHosts.c
@@ -62,6 +62,8 @@ X Window System is a trademark of The Open Group.
 #include <config.h>
 #endif
 #include "Xlibint.h"
+#include <limits.h>
+
 /*
 * can be freed using XFree.
 */
@@ -73,7 +75,6 @@ XHostAddress *XListHosts (
 {
    register XHostAddress *outbuf = NULL, *op;
    xListHostsReply reply;
-    long nbytes;
    unsigned char *buf, *bp;
    register unsigned i;
    register xListHostsReq *req;
@@ -90,19 +91,26 @@ XHostAddress *XListHosts (
    }

    if (reply.nHosts) {
-	nbytes = reply.length << 2;	/* compute number of bytes in reply */
+	unsigned long nbytes = reply.length << 2; /* number of bytes in reply */
+	const unsigned long max_hosts = INT_MAX /
+	    (sizeof(XHostAddress) + sizeof(XServerInterpretedAddress));
+
+	if (reply.nHosts < max_hosts) {
+	    unsigned long hostbytes = reply.nHosts *
+		(sizeof(XHostAddress) + sizeof(XServerInterpretedAddress));

-	op = outbuf = (XHostAddress *)
-	    Xmalloc((unsigned) (nbytes +
-	      (reply.nHosts * sizeof(XHostAddress)) +
-	      (reply.nHosts * sizeof(XServerInterpretedAddress))));
+	    if (reply.length < (INT_MAX >> 2) &&
+		(hostbytes >> 2) < ((INT_MAX >> 2) - reply.length))
+		outbuf = Xmalloc(nbytes + hostbytes);
+	}

 	if (! outbuf) {
-	    _XEatData(dpy, (unsigned long) nbytes);
+	    _XEatDataWords(dpy, reply.length);
 	    UnlockDisplay(dpy);
 	    SyncHandle();
 	    return (XHostAddress *) NULL;
 	}
+	op = outbuf;
 	sip = (XServerInterpretedAddress *)
 	 (((unsigned char  *) outbuf) + (reply.nHosts * sizeof(XHostAddress)));
 	bp = buf = ((unsigned char  *) sip)