diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:10:23 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:10:23 +0000 |
| commit | 35abd83d4097101fbeeb4a212526848d22ecfa55 (patch) | |
| tree | e68dd41510b0f77ff98a2258ad29a418dbf63176 /main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch | |
| parent | 61e1807d75995b90f2dea5e736b3ea225d87215b (diff) | |
| download | aports-35abd83d4097101fbeeb4a212526848d22ecfa55.tar.bz2 aports-35abd83d4097101fbeeb4a212526848d22ecfa55.tar.xz | |
main/libxp: upgrade to 1.0.2
Diffstat (limited to 'main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch')
| -rw-r--r-- | main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch deleted file mode 100644 index e510b705e0..0000000000 --- a/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch +++ /dev/null @@ -1,86 +0,0 @@ -From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 26 Apr 2013 23:59:25 -0700 -Subject: [PATCH 3/5] integer overflow in XpGetAttributes & XpGetOneAttribute - [CVE-2013-2062 1/3] - -stringLen & valueLen are CARD32s and need to be bounds checked before adding -one to them to come up with the total size to allocate, to avoid integer -overflow leading to underallocation and writing data from the network past -the end of the allocated buffer. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/XpAttr.c | 36 +++++++++++++++++++----------------- - 1 file changed, 19 insertions(+), 17 deletions(-) - -diff --git a/src/XpAttr.c b/src/XpAttr.c -index 6818daf..665e2e8 100644 ---- a/src/XpAttr.c -+++ b/src/XpAttr.c -@@ -48,6 +48,7 @@ - - #include <stdio.h> - #include <sys/stat.h> -+#include <limits.h> - - char * - XpGetAttributes ( -@@ -83,17 +84,18 @@ XpGetAttributes ( - /* - * Read pool and return to caller. - */ -- buf = Xmalloc( (unsigned) rep.stringLen + 1 ); -+ if (rep.stringLen < INT_MAX) -+ buf = Xmalloc(rep.stringLen + 1); -+ else -+ buf = NULL; - - if (!buf) { -- UnlockDisplay(dpy); -- SyncHandle(); -- return( (char *) NULL ); /* malloc error */ -+ _XEatDataWords(dpy, rep.length); -+ } -+ else { -+ _XReadPad (dpy, (char *) buf, rep.stringLen ); -+ buf[rep.stringLen] = 0; - } -- -- _XReadPad (dpy, (char *) buf, (long) rep.stringLen ); -- -- buf[rep.stringLen] = 0; - - UnlockDisplay(dpy); - SyncHandle(); -@@ -144,18 +146,18 @@ XpGetOneAttribute ( - /* - * Read variable answer. - */ -- buf = Xmalloc( (unsigned) rep.valueLen + 1 ); -+ if (rep.valueLen < INT_MAX) -+ buf = Xmalloc(rep.valueLen + 1); -+ else -+ buf = NULL; - - if (!buf) { -- UnlockDisplay(dpy); -- SyncHandle(); -- return( (char *) NULL ); /* malloc error */ -+ _XEatDataWords(dpy, rep.length); -+ } -+ else { -+ _XReadPad (dpy, (char *) buf, rep.valueLen); -+ buf[rep.valueLen] = 0; - } -- -- buf[rep.valueLen] = 0; -- -- _XReadPad (dpy, (char *) buf, (long) rep.valueLen ); -- buf[rep.valueLen] = 0; - - UnlockDisplay(dpy); - SyncHandle(); --- -1.8.2.3 - |