diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-04-26 16:33:03 -0700 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-30 18:03:45 -0700 |
| commit | 306f630e676eb901789dd09a0f30d7e7fa941ebe (patch) | |
| tree | 3aa7e45fd1d42f3045343c356926c9e1cc9d0767 /src/glx/XF86dri.c | |
| parent | 2e5a268f18be30df15aed0b44b01a18a37fb5df4 (diff) | |
| download | external_mesa3d-306f630e676eb901789dd09a0f30d7e7fa941ebe.zip external_mesa3d-306f630e676eb901789dd09a0f30d7e7fa941ebe.tar.gz external_mesa3d-306f630e676eb901789dd09a0f30d7e7fa941ebe.tar.bz2 | |
integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
NOTE: This is a candidate for stable release branches.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
Diffstat (limited to 'src/glx/XF86dri.c')
| -rw-r--r-- | src/glx/XF86dri.c | 8 |
1 files changed, 5 insertions, 3 deletions
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c index 8f53bd7..56e3557 100644 --- a/src/glx/XF86dri.c +++ b/src/glx/XF86dri.c @@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; if (rep.length) { - if (! - (*clientDriverName = - calloc(rep.clientDriverNameLength + 1, 1))) { + if (rep.clientDriverNameLength < INT_MAX) + *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); + else + *clientDriverName = NULL; + if (*clientDriverName == NULL) { _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); |