projects / mesa.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
[mesa.git] / src / glx / XF86dri.c
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 8f53bd71953c028a2499cf8f671f12ee9e598f4a..56e355706017e433cb42540ef3020be8b415b00a 100644 (file)
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
    *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
 
    if (rep.length) {
-      if (!
-          (*clientDriverName =
-           calloc(rep.clientDriverNameLength + 1, 1))) {
+      if (rep.clientDriverNameLength < INT_MAX)
+         *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+      else
+         *clientDriverName = NULL;
+      if (*clientDriverName == NULL) {
          _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
          UnlockDisplay(dpy);
          SyncHandle();