From 1cb182cbdc11fc1c97507c57875f1d2453f27328 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Mon, 15 Apr 2013 08:41:14 -0700
Subject: [PATCH] Xephyr: integer overflow in XF86DRIGetClientDriverName()

clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
---
 hw/kdrive/ephyr/XF86dri.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/hw/kdrive/ephyr/XF86dri.c b/hw/kdrive/ephyr/XF86dri.c
index 7074bc371..9f230fc99 100644
--- a/hw/kdrive/ephyr/XF86dri.c
+++ b/hw/kdrive/ephyr/XF86dri.c
@@ -328,9 +328,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
     *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
 
     if (rep.length) {
-        if (!
-            (*clientDriverName =
-             (char *) calloc(rep.clientDriverNameLength + 1, 1))) {
+        if (rep.clientDriverNameLength < INT_MAX)
+            *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+        else
+            *clientDriverName = NULL;
+        if (*clientDriverName == NULL) {
             _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
             UnlockDisplay(dpy);
             SyncHandle();