diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:48:52 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:48:52 +0000 |
commit | adf915bf8b5c4ff1c07648f42cee8ab4d804dede (patch) | |
tree | 6c08fce45da9c21698b244140ba27cd582104170 /main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch | |
parent | c3c243cd3795568ab5dd6fb7648f225ef2dbf593 (diff) | |
download | aports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.bz2 aports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.xz |
main/libxext: fix CVE-2013-1982
ref #1931
Diffstat (limited to 'main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch')
-rw-r--r-- | main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch b/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch new file mode 100644 index 0000000000..0be477d23d --- /dev/null +++ b/main/libxext/0003-integer-overflow-in-XcupStoreColors-CVE-2013-1982-2-.patch @@ -0,0 +1,63 @@ +From 082d70b19848059ba78c9d1c315114fb07e8c0ef Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 14:40:33 -0800 +Subject: [PATCH 3/7] integer overflow in XcupStoreColors() [CVE-2013-1982 2/6] + +If the computed number of entries is large enough that it overflows when +multiplied by the size of a xColorItem struct, or is treated as negative +when compared to the size of the stack allocated buffer, then memory +corruption can occur when more bytes are read from the X server than the +size of the buffer we allocated to hold them. + +The requirement to match the number of colors specified by the caller makes +this much harder to hit than the one in XcupGetReservedColormapEntries() + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xcup.c | 25 +++++++++++-------------- + 1 file changed, 11 insertions(+), 14 deletions(-) + +diff --git a/src/Xcup.c b/src/Xcup.c +index 670f356..cdc64c2 100644 +--- a/src/Xcup.c ++++ b/src/Xcup.c +@@ -219,24 +219,21 @@ XcupStoreColors( + } + + if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { +- long nbytes; ++ unsigned long nbytes; + xColorItem* rbufp; + xColorItem* cs; +- int nentries = rep.length / 3; +- +- nbytes = nentries * SIZEOF (xColorItem); ++ unsigned int nentries = rep.length / 3; + +- if (nentries != ncolors) { +- _XEatDataWords(dpy, rep.length); +- UnlockDisplay (dpy); +- SyncHandle (); +- return False; +- } ++ if ((nentries == ncolors) && ++ (nentries < (INT_MAX / SIZEOF (xColorItem)))) { ++ nbytes = nentries * SIZEOF (xColorItem); + +- if (ncolors > 256) +- rbufp = (xColorItem*) Xmalloc (nbytes); +- else +- rbufp = rbuf; ++ if (ncolors > 256) ++ rbufp = Xmalloc (nbytes); ++ else ++ rbufp = rbuf; ++ } else ++ rbufp = NULL; + + if (rbufp == NULL) { + _XEatDataWords(dpy, rep.length); +-- +1.8.2.3 + |