integer overflows in XpQueryScreens() [CVE-2013-2062 3/3]

listCount is a CARD32 that needs to be bounds checked before it is
multiplied by the size of the pointers to allocate, to avoid integer
overflow leading to underallocation and writing data from the network
past the end of the allocated buffer.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

1 files changed, 8 insertions, 8 deletions

diff --git a/src/XpScreens.c b/src/XpScreens.c
index 815dfbf..b31e554 100644
--- a/src/XpScreens.c
+++ b/src/XpScreens.c
@@ -42,6 +42,7 @@
 #include <X11/extensions/Printstr.h>
 #include <X11/Xlibint.h>
 #include "XpExtUtil.h"
+#include <limits.h>
 
 
 Screen **
@@ -82,19 +83,17 @@ XpQueryScreens (
     *list_count = rep.listCount;
 
     if (*list_count) {
-	scr_list = (Screen **)
-		   Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) );
+	if (rep.listCount < (INT_MAX / sizeof(Screen *)))
+	    scr_list = Xmalloc(sizeof(Screen *) * *list_count);
+	else
+	    scr_list = NULL;
 
 	if (!scr_list) {
-            UnlockDisplay(dpy);
-            SyncHandle();
-            return ( (Screen **) NULL ); /* malloc error */
+	    _XEatDataWords(dpy, rep.length);
+	    goto out;
 	}
 	i = 0;
 	while(i < *list_count){
-	    /*
-	     * Pull printer length and then name.
-	     */
 	    _XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) );
 	    scr_list[i] = NULL;
 	    for ( j = 0; j < XScreenCount(dpy); j++ ) {
@@ -118,6 +117,7 @@ XpQueryScreens (
 	scr_list = (Screen **) NULL;
     }
 
+  out:
     UnlockDisplay(dpy);
     SyncHandle();