[PATCH 5/8] Xephyr: integer overflow in XF86DRIGetClientDriverName()

Alan Coopersmith alan.coopersmith at oracle.com
Fri Jul 5 23:47:48 PDT 2013


clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
---
 hw/kdrive/ephyr/XF86dri.c |    8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c
index 7074bc3..9f230fc 100644
--- a/hw/kdrive/ephyr/XF86dri.c
+++ b/hw/kdrive/ephyr/XF86dri.c
@@ -328,9 +328,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
     *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
 
     if (rep.length) {
-        if (!
-            (*clientDriverName =
-             (char *) calloc(rep.clientDriverNameLength + 1, 1))) {
+        if (rep.clientDriverNameLength < INT_MAX)
+            *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+        else
+            *clientDriverName = NULL;
+        if (*clientDriverName == NULL) {
             _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
             UnlockDisplay(dpy);
             SyncHandle();
-- 
1.7.9.2



More information about the xorg-devel mailing list