File U_0002-integer-overflow-in-XGetFeedbackControl-... of Package xorg-x11-libs

Overview Repositories Revisions Requests Users Attributes Meta

File U_0002-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch of Package xorg-x11-libs

From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 9 Mar 2013 22:55:23 -0800
Subject: [PATCH] integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]

If the number of feedbacks reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, or
if the total size of all the feedback structures overflows when added
together, then memory corruption can occur when more bytes are copied from
the X server reply than the size of the buffer we allocated to hold them.

v2: check that reply size fits inside the data read from the server, so
    we don't read out of bounds either

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 src/XGetFCtl.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

Index: libXi-1.2.1/src/XGetFCtl.c
===================================================================
--- libXi-1.2.1.orig/src/XGetFCtl.c
+++ libXi-1.2.1/src/XGetFCtl.c
@@ -60,6 +60,7 @@ SOFTWARE.
 #include <X11/extensions/XInput.h>
 #include <X11/extensions/extutil.h>
 #include "XIint.h"
+#include <limits.h>
 
 XFeedbackState *
 XGetFeedbackControl(dpy, dev, num_feedbacks)
@@ -67,8 +68,6 @@ XGetFeedbackControl(dpy, dev, num_feedba
     XDevice *dev;
     int *num_feedbacks;
 {
-    int size = 0;
-    int nbytes, i;
     XFeedbackState *Feedback = NULL;
     XFeedbackState *Sav = NULL;
     xFeedbackState *f = NULL;
@@ -92,9 +91,16 @@ XGetFeedbackControl(dpy, dev, num_feedba
 	return (XFeedbackState *) NULL;
     }
     if (rep.length > 0) {
+	unsigned long nbytes;
+	size_t size = 0;
+	int i;
+
 	*num_feedbacks = rep.num_feedbacks;
-	nbytes = (long)rep.length << 2;
-	f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
+
+	if (rep.length < (INT_MAX >> 2)) {
+	    nbytes = rep.length << 2;
+	    f = Xmalloc(nbytes);
+	}
 	if (!f) {
 	    _XEatData(dpy, (unsigned long)nbytes);
 	    UnlockDisplay(dpy);
@@ -105,6 +111,10 @@ XGetFeedbackControl(dpy, dev, num_feedba
 	_XRead(dpy, (char *)f, nbytes);
 
 	for (i = 0; i < *num_feedbacks; i++) {
+	    if (f->length > nbytes)
+		goto out;
+	    nbytes -= f->length;
+
 	    switch (f->class) {
 	    case KbdFeedbackClass:
 		size += sizeof(XKbdFeedbackState);
@@ -119,6 +129,8 @@ XGetFeedbackControl(dpy, dev, num_feedba
 	    {
 		xStringFeedbackState *strf = (xStringFeedbackState *) f;
 
+		if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
+		    goto out;
 		size += sizeof(XStringFeedbackState) +
 		    (strf->num_syms_supported * sizeof(KeySym));
 	    }
@@ -133,10 +145,12 @@ XGetFeedbackControl(dpy, dev, num_feedba
 		size += f->length;
 		break;
 	    }
+	    if (size > INT_MAX)
+		goto out;
 	    f = (xFeedbackState *) ((char *)f + f->length);
 	}
 
-	Feedback = (XFeedbackState *) Xmalloc((unsigned)size);
+	Feedback = Xmalloc(size);
 	if (!Feedback) {
 	    UnlockDisplay(dpy);
 	    SyncHandle();
@@ -256,8 +270,9 @@ XGetFeedbackControl(dpy, dev, num_feedba
 	    f = (xFeedbackState *) ((char *)f + f->length);
 	    Feedback = (XFeedbackState *) ((char *)Feedback + Feedback->length);
 	}
-	XFree((char *)sav);
     }
+out:
+    XFree((char *)sav);
 
     UnlockDisplay(dpy);
     SyncHandle();

Places

File U_0002-integer-overflow-in-XGetFeedbackControl-CVE-2013-198.patch of Package xorg-x11-libs

Places