diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:15:24 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:15:24 +0000 |
commit | a2e6a170d7f82935f55d6b1dfd7cd408475983cd (patch) | |
tree | 4a1505b7a5d135ce62201dcee97d5e8e9a185d15 | |
parent | a9923133bcabf62806552e5661d63f0347e205b6 (diff) | |
download | aports-a2e6a170d7f82935f55d6b1dfd7cd408475983cd.tar.bz2 aports-a2e6a170d7f82935f55d6b1dfd7cd408475983cd.tar.xz |
main/libxv: upgrade to 1.0.8
6 files changed, 6 insertions, 283 deletions
diff --git a/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch deleted file mode 100644 index 0e33952a60..0000000000 --- a/main/libxv/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 00:28:34 -0700 -Subject: [PATCH 1/5] Use _XEatDataWords to avoid overflow of rep.length - shifting - -rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - configure.ac | 6 ++++++ - src/Xv.c | 22 +++++++++++++++++++--- - 2 files changed, 25 insertions(+), 3 deletions(-) - -diff --git a/configure.ac b/configure.ac -index 5494b5d..6a335db 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO - # Obtain compiler/linker options for depedencies - PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto) - -+# Check for _XEatDataWords function that may be patched into older Xlib release -+SAVE_LIBS="$LIBS" -+LIBS="$XV_LIBS" -+AC_CHECK_FUNCS([_XEatDataWords]) -+LIBS="$SAVE_LIBS" -+ - # Allow checking code with lint, sparse, etc. - XORG_WITH_LINT - XORG_LINT_LIBRARY([Xv]) -diff --git a/src/Xv.c b/src/Xv.c -index b081e8a..5be1d95 100644 ---- a/src/Xv.c -+++ b/src/Xv.c -@@ -49,11 +49,27 @@ SOFTWARE. - ** - */ - -+#ifdef HAVE_CONFIG_H -+# include "config.h" -+#endif -+ - #include <stdio.h> - #include "Xvlibint.h" - #include <X11/extensions/Xext.h> - #include <X11/extensions/extutil.h> - #include <X11/extensions/XShm.h> -+#include <limits.h> -+ -+#ifndef HAVE__XEATDATAWORDS -+static inline void _XEatDataWords(Display *dpy, unsigned long n) -+{ -+# ifndef LONG64 -+ if (n >= (ULONG_MAX >> 2)) -+ _XIOError(dpy); -+# endif -+ _XEatData (dpy, n << 2); -+} -+#endif - - static XExtensionInfo _xv_info_data; - static XExtensionInfo *xv_info = &_xv_info_data; -@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) - (*num)++; - } - } else -- _XEatData(dpy, rep.length << 2); -+ _XEatDataWords(dpy, rep.length); - } - - UnlockDisplay(dpy); -@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats ( - (*num)++; - } - } else -- _XEatData(dpy, rep.length << 2); -+ _XEatDataWords(dpy, rep.length); - } - - UnlockDisplay(dpy); -@@ -976,7 +992,7 @@ XvImage * XvCreateImage ( - _XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2); - _XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2); - } else -- _XEatData(dpy, rep.length << 2); -+ _XEatDataWords(dpy, rep.length); - - UnlockDisplay(dpy); - SyncHandle(); --- -1.8.2.3 - diff --git a/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch b/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch deleted file mode 100644 index 707f99b02b..0000000000 --- a/main/libxv/0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 00:03:03 -0700 -Subject: [PATCH 2/5] integer overflow in XvQueryPortAttributes() - [CVE-2013-1989 1/3] - -The num_attributes & text_size members of the reply are both CARD32s -and need to be bounds checked before multiplying & adding them together -to come up with the total size to allocate, to avoid integer overflow -leading to underallocation and writing data from the network past the -end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/Xv.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/Xv.c b/src/Xv.c -index 5be1d95..3cbad35 100644 ---- a/src/Xv.c -+++ b/src/Xv.c -@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) - } - - if(rep.num_attributes) { -- int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; -+ unsigned long size; -+ /* limit each part to no more than one half the max size */ -+ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && -+ (rep.text_size < (INT_MAX / 2))) { -+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; -+ ret = Xmalloc(size); -+ } - -- if((ret = Xmalloc(size))) { -+ if (ret != NULL) { - char* marker = (char*)(&ret[rep.num_attributes]); - xvAttributeInfo Info; - int i; --- -1.8.2.3 - diff --git a/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch b/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch deleted file mode 100644 index 24e1c1b8b3..0000000000 --- a/main/libxv/0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 00:16:14 -0700 -Subject: [PATCH 3/5] buffer overflow in XvQueryPortAttributes() - [CVE-2013-2066] - -Each attribute returned in the reply includes the number of bytes -to read for its marker. We had been always trusting it, and never -validating that it wouldn't cause us to write past the end of the -buffer we allocated based on the reported text_size. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/Xv.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/Xv.c b/src/Xv.c -index 3cbad35..f9813eb 100644 ---- a/src/Xv.c -+++ b/src/Xv.c -@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) - xvAttributeInfo Info; - int i; - -+ /* keep track of remaining room for text strings */ -+ size = rep.text_size; -+ - for(i = 0; i < rep.num_attributes; i++) { - _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); - ret[i].flags = (int)Info.flags; - ret[i].min_value = Info.min; - ret[i].max_value = Info.max; - ret[i].name = marker; -- _XRead(dpy, marker, Info.size); -- marker += Info.size; -+ if (Info.size <= size) { -+ _XRead(dpy, marker, Info.size); -+ marker += Info.size; -+ size -= Info.size; -+ } - (*num)++; - } - } else --- -1.8.2.3 - diff --git a/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch b/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch deleted file mode 100644 index b80f47a1d7..0000000000 --- a/main/libxv/0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 00:03:03 -0700 -Subject: [PATCH 4/5] integer overflow in XvListImageFormats() [CVE-2013-1989 - 2/3] - -num_formats is a CARD32 and needs to be bounds checked before multiplying -by sizeof(XvImageFormatValues) to come up with the total size to allocate, -to avoid integer overflow leading to underallocation and writing data from -the network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/Xv.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/src/Xv.c b/src/Xv.c -index f9813eb..0a07d9d 100644 ---- a/src/Xv.c -+++ b/src/Xv.c -@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats ( - } - - if(rep.num_formats) { -- int size = (rep.num_formats * sizeof(XvImageFormatValues)); -+ if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues))) -+ ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues)); - -- if((ret = Xmalloc(size))) { -+ if (ret != NULL) { - xvImageFormatInfo Info; - int i; - --- -1.8.2.3 - diff --git a/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch deleted file mode 100644 index 2be6900c33..0000000000 --- a/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 00:03:03 -0700 -Subject: [PATCH 5/5] integer overflow in XvCreateImage() [CVE-2013-1989 3/3] - -num_planes is a CARD32 and needs to be bounds checked before bit shifting -and adding to sizeof(XvImage) to come up with the total size to allocate, -to avoid integer overflow leading to underallocation and writing data from -the network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/Xv.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/Xv.c b/src/Xv.c -index 0a07d9d..f268f8e 100644 ---- a/src/Xv.c -+++ b/src/Xv.c -@@ -992,7 +992,10 @@ XvImage * XvCreateImage ( - return NULL; - } - -- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { -+ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) -+ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); -+ -+ if (ret != NULL) { - ret->id = id; - ret->width = rep.width; - ret->height = rep.height; --- -1.8.2.3 - diff --git a/main/libxv/APKBUILD b/main/libxv/APKBUILD index efb6b10857..bad28362ac 100644 --- a/main/libxv/APKBUILD +++ b/main/libxv/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Natanael Copa <ncopa@alpinelinux.org> pkgname=libxv -pkgver=1.0.7 -pkgrel=1 +pkgver=1.0.8 +pkgrel=0 pkgdesc="X11 Video extension library" url="http://xorg.freedesktop.org/" arch="all" @@ -9,13 +9,8 @@ license="custom" subpackages="$pkgname-dev $pkgname-doc" depends= depends_dev="xproto videoproto libx11-dev libxext-dev" -makedepends="$depends_dev libtool autoconf automake util-macros" +makedepends="$depends_dev" source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2 - 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch - 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch - 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch - 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch - 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch " _builddir="$srcdir"/libXv-$pkgver @@ -26,8 +21,6 @@ prepare() { *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; esac done - libtoolize --force && aclocal && autoheader && autoconf \ - && automake --add-missing } build() { @@ -42,21 +35,6 @@ package() { rm "$pkgdir"/usr/lib/*.la || return 1 install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING } -md5sums="5e1ac203ccd3ce3e89755ed1fbe75b0b libXv-1.0.7.tar.bz2 -cbd5367f2b5717cab78b819aaaacd7d9 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch -ff8da08c2883bdc98cbac78e448e81e6 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch -108ba64a9d7d5f3763cfbb00ffe53eb2 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch -53dbcb31cb08325b3a5329f16ddab3dd 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch -0844dd0e117d36a70f603019af580f13 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch" -sha256sums="5d664aeb641f8c867331a0c6b4574a5e7e420f00bf5fcefd874e8d003ea59010 libXv-1.0.7.tar.bz2 -993a72fc67e9de4df9b19eeedd32c70b325ed5d97fdc9e476a585d5fd151469e 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch -583d3d8192bd11902e464213b462f24f632424c449eaa68c238910a2b1b223fb 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch -7525a4f5df082913d614683219795e5ecaafd999fbe7696ab2e48857f1455b8c 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch -51edf32e1da0ef2afa7f11ef9b96c29f7d886f1a88b5610118753a36afc140ce 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch -4debde18842840d7872ba3b367ca9bb5c40b2565d0d7d2c984961b10a2971955 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch" -sha512sums="25c81cc6d112a6b07de1c53fa5fc8bb9d886d19cffc2bcd65c4668ba53808051cf4d4720413b5c436ba356bb76f9ca05decf61909839ee19ccf9cbc7263e373b libXv-1.0.7.tar.bz2 -b4a8c457380ff3d1dd2b4da0b80f83cf577fe1345a3b8c49686e9ad88ce77f49ade7e4a7c5042bf0dff6e43af8a6adcb5706067ea87ecf5b84e74849b65cfbc9 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch -fb07656fcd4779c246546ec8d2cc3dd16b013d77380ecf21cf2b2ee7f37910cf9a5f016c8b97a68e5499b5af88b5cdbbe19399c278136daa72ad3321f343d66a 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch -2ecc22e831cad3ed4701c42665d25b6c2da358a3464d8a0a29e6f081a83cdd79ce50b67692ee93e6d114f518250a979920df93e7366a5063a36ee69bdc8fd2c8 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch -0b63e9966e854b51df7c9db1359f4c8c868f607b0effd0c6f6f5838c9451e57e0951ae32fbe5b2cac14765e6738ba50b688539c9f5c08bc05bb794ef572c27f6 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch -628cc07629f6819a435bd29f9e6d79a9cc13ee7ed6abef3c9d322c32cd78a75e386a448191fa38f01fe4597ef66e9347f0e7ed8724bb7974520cb9a7ffd5a7ef 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch" +md5sums="224dadca53d9c88f8a2b8945babcea70 libXv-1.0.8.tar.bz2" +sha256sums="4f00eb5347390909cea4e53a69425839d2a6a44e0e0613321d59e7e4aeaf73d7 libXv-1.0.8.tar.bz2" +sha512sums="610866deaa7fdb3e10a2d5071fe79987e74320b18604e957e5a4d45e3716a3f9e31b44e42fd10c70cbf0ed8629f4d3e8699a1958e80779f8c1b991aece5cc864 libXv-1.0.8.tar.bz2" |