diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:14:10 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:16:48 +0000 |
| commit | f4a1e4bfe936b7b1c1364a8ebc769145f060ce25 (patch) | |
| tree | a99742771afbe580dfaf321e596ca12a09c2d643 /main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch | |
| parent | 596f76568714ab83fed8fef00c69f6493e6996e3 (diff) | |
| download | aports-f4a1e4bfe936b7b1c1364a8ebc769145f060ce25.tar.bz2 aports-f4a1e4bfe936b7b1c1364a8ebc769145f060ce25.tar.xz | |
main/libxrandr: fix CVE-2013-1986
ref #1931
Diffstat (limited to 'main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch')
| -rw-r--r-- | main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch new file mode 100644 index 0000000000..659b9c1752 --- /dev/null +++ b/main/libxrandr/0007-Make-XRRGet-Property-always-initialize-returned-valu.patch @@ -0,0 +1,74 @@ +From c90f74497dbcb96854346435349c6e2207b530c5 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 4 May 2013 21:47:50 -0700 +Subject: [PATCH 7/7] Make XRRGet*Property() always initialize returned values + +Avoids memory corruption and other errors when callers access them +without checking to see if the calls returned an error value. + +Callers are still required to check for errors, this just reduces the +damage when they don't. + +(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XrrProperty.c | 8 +++++++- + src/XrrProviderProperty.c | 8 +++++++- + 2 files changed, 14 insertions(+), 2 deletions(-) + +diff --git a/src/XrrProperty.c b/src/XrrProperty.c +index 707a28d..2096c56 100644 +--- a/src/XrrProperty.c ++++ b/src/XrrProperty.c +@@ -259,6 +259,13 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + xRRGetOutputPropertyReq *req; + unsigned long nbytes, rbytes; + ++ /* Always initialize return values, in case callers fail to initialize ++ them and fail to check the return code for an error. */ ++ *actual_type = None; ++ *actual_format = 0; ++ *nitems = *bytes_after = 0L; ++ *prop = (unsigned char *) NULL; ++ + RRCheckExtension (dpy, info, 1); + + LockDisplay (dpy); +@@ -280,7 +287,6 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + return ((xError *)&rep)->errorCode; + } + +- *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { + int format = rep.format; + +diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c +index 6989580..34cc082 100644 +--- a/src/XrrProviderProperty.c ++++ b/src/XrrProviderProperty.c +@@ -259,6 +259,13 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, + xRRGetProviderPropertyReq *req; + unsigned long nbytes, rbytes; + ++ /* Always initialize return values, in case callers fail to initialize ++ them and fail to check the return code for an error. */ ++ *actual_type = None; ++ *actual_format = 0; ++ *nitems = *bytes_after = 0L; ++ *prop = (unsigned char *) NULL; ++ + RRCheckExtension (dpy, info, 1); + + LockDisplay (dpy); +@@ -280,7 +287,6 @@ XRRGetProviderProperty (Display *dpy, RRProvider provider, + return ((xError *)&rep)->errorCode; + } + +- *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { + int format = rep.format; + +-- +1.8.2.3 + |