From 2e5a268f18be30df15aed0b44b01a18a37fb5df4 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Fri, 26 Apr 2013 16:31:58 -0700 Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2] busIdStringLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. NOTE: This is a candidate for stable release branches. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Brian Paul --- src/glx/XF86dri.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/glx') diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c index b1cdc9b2865..8f53bd71953 100644 --- a/src/glx/XF86dri.c +++ b/src/glx/XF86dri.c @@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include #include #include "xf86dristr.h" +#include static XExtensionInfo _xf86dri_info_data; static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; @@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA, } if (rep.length) { - if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) { + if (rep.busIdStringLength < INT_MAX) + *busIdString = calloc(rep.busIdStringLength + 1, 1); + else + *busIdString = NULL; + if (*busIdString == NULL) { _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); -- cgit v1.2.3