integer overflow in XGetImage() [CVE-2013-1981 11/13]

Ensure that we don't underallocate when the server claims to have sent a very large reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Julien Cristau <jcristau@debian.org> Backported-to-NX-by: Ulrich Sibiller <uli42@gmx.de>

integer overflow in XGetImage() [CVE-2013-1981 11/13]
9501bce2 · Alan Coopersmith · Ulrich Sibiller · 361d3677 · 9501bce2
Commit 9501bce2 authored Mar 02, 2013 by Alan Coopersmith Committed by Ulrich Sibiller Oct 12, 2016
Show whitespace changes
Inline Side-by-side

Showing with 8 additions and 4 deletions

GetImage.c nx-X11/lib/X11/GetImage.c +8 -4

No files found.
--- a/nx-X11/lib/X11/GetImage.c
+++ b/nx-X11/lib/X11/GetImage.c
@@ -30,6 +30,7 @@ in this Software without prior written authorization from The Open Group.
 #include "Xlibint.h"
 #include <nx-X11/Xutil.h>		/* for XDestroyImage */
 #include "ImUtil.h"
+#include <limits.h>

 #define ROUNDUP(nbytes, pad) (((((nbytes) - 1) + (pad)) / (pad)) * (pad))

@@ -56,7 +57,7 @@ XImage *XGetImage (
 	xGetImageReply rep;
 	register xGetImageReq *req;
 	char *data;
-	long nbytes;
+	unsigned long nbytes;
 	XImage *image;
 	LockDisplay(dpy);
 	GetReq (GetImage, req);
@@ -78,10 +79,13 @@ XImage *XGetImage (
 		return (XImage *)NULL;
 	}

-	nbytes = (long)rep.length << 2;
-	data = (char *) Xmalloc((unsigned) nbytes);
+	if (rep.length < (INT_MAX >> 2)) {
+	    nbytes = (unsigned long)rep.length << 2;
+	    data = Xmalloc(nbytes);
+	} else
+	    data = NULL;
 	if (! data) {
-	    _XEatData(dpy, (unsigned long) nbytes);
+	    _XEatDataWords(dpy, rep.length);
 	    UnlockDisplay(dpy);
 	    SyncHandle();
 	    return (XImage *) NULL;