main/libxext: fix CVE-2013-1982

ref #1931

1 files changed, 84 insertions, 0 deletions

diff --git a/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
new file mode 100644
index 0000000000..75c50e0025
--- /dev/null
+++ b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
@@ -0,0 +1,84 @@
+From 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 4/7] several integer overflows in XdbeGetVisualInfo()
+ [CVE-2013-1982 3/6]
+
+If the number of screens or visuals reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+then memory corruption can occur when more bytes are read from the X server
+than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xdbe.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/src/Xdbe.c b/src/Xdbe.c
+index 4b5fa18..016886c 100644
+--- a/src/Xdbe.c
++++ b/src/Xdbe.c
+@@ -39,6 +39,8 @@
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/Xdbe.h>
+ #include <X11/extensions/dbeproto.h>
++#include <limits.h>
++#include "eat.h"
+ 
+ static XExtensionInfo _dbe_info_data;
+ static XExtensionInfo *dbe_info = &_dbe_info_data;
+@@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
+        *num_screens = rep.m;
+ 
+     /* allocate list of visual information to be returned */
+-    if (!(scrVisInfo =
+-        (XdbeScreenVisualInfo *)Xmalloc(
+-        (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) {
++    if ((*num_screens > 0) && (*num_screens < 65536))
++        scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo));
++    else
++        scrVisInfo = NULL;
++    if (scrVisInfo == NULL) {
++        _XEatDataWords(dpy, rep.length);
+         UnlockDisplay (dpy);
+         SyncHandle ();
+         return NULL;
+@@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
+ 
+     for (i = 0; i < *num_screens; i++)
+     {
+-        int nbytes;
+         int j;
+-        long c;
++        unsigned long c;
+ 
+-        _XRead32 (dpy, &c, sizeof(CARD32));
+-        scrVisInfo[i].count = c;
++        _XRead32 (dpy, (long *) &c, sizeof(CARD32));
+ 
+-        nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo);
++        if (c < 65536) {
++            scrVisInfo[i].count = c;
++            scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo));
++        } else
++            scrVisInfo[i].visinfo = NULL;
+ 
+         /* if we can not allocate the list of visual/depth info
+          * then free the lists that we already allocate as well
+          * as the visual info list itself
+          */
+-        if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc(
+-            (unsigned)nbytes))) {
++        if (scrVisInfo[i].visinfo == NULL) {
+             for (j = 0; j < i; j++) {
+                 Xfree ((char *)scrVisInfo[j].visinfo);
+             }
+             Xfree ((char *)scrVisInfo);
++            _XEatDataWords(dpy, rep.length);
+             UnlockDisplay (dpy);
+             SyncHandle ();
+             return NULL;
+-- 
+1.8.2.3
+