integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
authorAlan Coopersmith <alan.coopersmith@oracle.com>
Fri, 26 Apr 2013 23:33:03 +0000 (16:33 -0700)
committerAlan Coopersmith <alan.coopersmith@oracle.com>
Fri, 31 May 2013 01:03:45 +0000 (18:03 -0700)
commit306f630e676eb901789dd09a0f30d7e7fa941ebe
tree3aa7e45fd1d42f3045343c356926c9e1cc9d0767
parent2e5a268f18be30df15aed0b44b01a18a37fb5df4
integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]

clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.

NOTE: This is a candidate for stable release branches.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
src/glx/XF86dri.c