[PATCH 4/5] Xephyr: integer overflow in XF86DRIOpenConnection()
Julien Cristau
jcristau at debian.org
Sat Jun 1 03:26:23 PDT 2013
On Thu, May 23, 2013 at 09:27:29 -0700, Alan Coopersmith wrote:
> busIdStringLength is a CARD32 and needs to be bounds checked before adding
> one to it to come up with the total size to allocate, to avoid integer
> overflow leading to underallocation and writing data from the network past
> the end of the allocated buffer.
>
> Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
> Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
> ---
> hw/kdrive/ephyr/XF86dri.c | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c
> index 9d742f3..b1f070e 100644
> --- a/hw/kdrive/ephyr/XF86dri.c
> +++ b/hw/kdrive/ephyr/XF86dri.c
> @@ -225,7 +225,11 @@ XF86DRIOpenConnection(Display * dpy, int screen,
> }
>
> if (rep.length) {
> - if (!(*busIdString = (char *) calloc(rep.busIdStringLength + 1, 1))) {
> + if (rep.busIdStringLength < INT_MAX)
> + *busIdString = calloc(rep.busIdStringLength + 1, 1);
> + else
> + *busIdString = NULL;
> + if (*busIdString == NULL) {
> _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
> UnlockDisplay(dpy);
> SyncHandle();
We might still overflow in the _XEatData call, but I guess that's not so
much an issue.
Reviewed-by: Julien Cristau <jcristau at debian.org>
Cheers,
Julien
More information about the xorg-devel
mailing list