diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:07:08 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:07:08 +0000 |
| commit | 4e33a14b02d793b6fef73624e3d50f095a7308ae (patch) | |
| tree | a09988be930e17b7fa4b730399ccdecf9e6a9bec /main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch | |
| parent | 4ad71042333aae7134222ccfa21ea6efd83b9ec5 (diff) | |
| download | aports-4e33a14b02d793b6fef73624e3d50f095a7308ae.tar.bz2 aports-4e33a14b02d793b6fef73624e3d50f095a7308ae.tar.xz | |
main/libxext: upgrade to 1.3.2
Diffstat (limited to 'main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch')
| -rw-r--r-- | main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch | 63 |
1 files changed, 0 insertions, 63 deletions
diff --git a/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch b/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch deleted file mode 100644 index 0be477d23d..0000000000 --- a/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 082d70b19848059ba78c9d1c315114fb07e8c0ef Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 9 Mar 2013 14:40:33 -0800 -Subject: [PATCH 3/7] integer overflow in XcupStoreColors() [CVE-2013-1982 2/6] - -If the computed number of entries is large enough that it overflows when -multiplied by the size of a xColorItem struct, or is treated as negative -when compared to the size of the stack allocated buffer, then memory -corruption can occur when more bytes are read from the X server than the -size of the buffer we allocated to hold them. - -The requirement to match the number of colors specified by the caller makes -this much harder to hit than the one in XcupGetReservedColormapEntries() - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/Xcup.c | 25 +++++++++++-------------- - 1 file changed, 11 insertions(+), 14 deletions(-) - -diff --git a/src/Xcup.c b/src/Xcup.c -index 670f356..cdc64c2 100644 ---- a/src/Xcup.c -+++ b/src/Xcup.c -@@ -219,24 +219,21 @@ XcupStoreColors( - } - - if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { -- long nbytes; -+ unsigned long nbytes; - xColorItem* rbufp; - xColorItem* cs; -- int nentries = rep.length / 3; -- -- nbytes = nentries * SIZEOF (xColorItem); -+ unsigned int nentries = rep.length / 3; - -- if (nentries != ncolors) { -- _XEatDataWords(dpy, rep.length); -- UnlockDisplay (dpy); -- SyncHandle (); -- return False; -- } -+ if ((nentries == ncolors) && -+ (nentries < (INT_MAX / SIZEOF (xColorItem)))) { -+ nbytes = nentries * SIZEOF (xColorItem); - -- if (ncolors > 256) -- rbufp = (xColorItem*) Xmalloc (nbytes); -- else -- rbufp = rbuf; -+ if (ncolors > 256) -+ rbufp = Xmalloc (nbytes); -+ else -+ rbufp = rbuf; -+ } else -+ rbufp = NULL; - - if (rbufp == NULL) { - _XEatDataWords(dpy, rep.length); --- -1.8.2.3 - |