Mesa (master): integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1 /2]

[Alan Coopersmith]

Module: Mesa
Branch: master
Commit: 2e5a268f18be30df15aed0b44b01a18a37fb5df4
URL:    http://cgit.freedesktop.org/mesa/mesa/commit/?id=2e5a268f18be30df15aed0b44b01a18a37fb5df4

Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Apr 26 16:31:58 2013 -0700

integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]

busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.

NOTE: This is a candidate for stable release branches.

Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Brian Paul <brianp at vmware.com>

---

 src/glx/XF86dri.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletions(-)

diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index b1cdc9b..8f53bd7 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include <X11/extensions/Xext.h>
 #include <X11/extensions/extutil.h>
 #include "xf86dristr.h"
+#include <limits.h>
 
 static XExtensionInfo _xf86dri_info_data;
 static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
    }
 
    if (rep.length) {
-      if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) {
+      if (rep.busIdStringLength < INT_MAX)
+         *busIdString = calloc(rep.busIdStringLength + 1, 1);
+      else
+         *busIdString = NULL;
+      if (*busIdString == NULL) {
          _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
          UnlockDisplay(dpy);
          SyncHandle();