diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:14:10 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 14:39:02 +0000 |
commit | 0df792b849962f1e9302b2405f6d846e414e27bc (patch) | |
tree | c61c2a5802dc37abe338d401344a5b22379ce2f1 /main/libxrandr/CVE-2013-1986-3.patch | |
parent | 04fca7445c2068e588b79b32e01639ef1a0de1b6 (diff) | |
download | aports-0df792b849962f1e9302b2405f6d846e414e27bc.tar.bz2 aports-0df792b849962f1e9302b2405f6d846e414e27bc.tar.xz |
main/libxrandr: fix CVE-2013-1986
Diffstat (limited to 'main/libxrandr/CVE-2013-1986-3.patch')
-rw-r--r-- | main/libxrandr/CVE-2013-1986-3.patch | 81 |
1 files changed, 81 insertions, 0 deletions
diff --git a/main/libxrandr/CVE-2013-1986-3.patch b/main/libxrandr/CVE-2013-1986-3.patch new file mode 100644 index 0000000000..3a6ed0353e --- /dev/null +++ b/main/libxrandr/CVE-2013-1986-3.patch @@ -0,0 +1,81 @@ +From d4946df6b4c2352b91786253d9bbfb098f59a821 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 4 May 2013 21:37:49 -0700 +Subject: [PATCH] integer overflow in XRRGetOutputProperty() [CVE-2013-1986 3/4] + +If the reported number of properties is too large, the calculations +to allocate memory for them may overflow, leaving us returning less +memory to the caller than implied by the value written to *nitems. + +(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> +--- + src/XrrProperty.c | 22 ++++++++++++++-------- + 1 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/src/XrrProperty.c b/src/XrrProperty.c +index 603da9a..0c30d43 100644 +--- a/src/XrrProperty.c ++++ b/src/XrrProperty.c +@@ -257,7 +257,7 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRGetOutputPropertyReply rep; + xRRGetOutputPropertyReq *req; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; + + RRCheckExtension (dpy, info, 1); + +@@ -282,34 +282,40 @@ XRRGetOutputProperty (Display *dpy, RROutput output, + + *prop = (unsigned char *) NULL; + if (rep.propertyType != None) { ++ int format = rep.format; ++ ++ /* ++ * Protect against both integer overflow and just plain oversized ++ * memory allocation - no server should ever return this many props. ++ */ ++ if (rep.nItems >= (INT_MAX >> 4)) ++ format = -1; /* fall through to default error case */ ++ + /* + * One extra byte is malloced than is needed to contain the property + * data, but this last byte is null terminated and convenient for + * returning string properties, so the client doesn't then have to + * recopy the string to make it null terminated. + */ +- switch (rep.format) { ++ switch (format) { + case 8: + nbytes = rep.nItems; + rbytes = rep.nItems + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XReadPad (dpy, (char *) *prop, nbytes); + break; + + case 16: + nbytes = rep.nItems << 1; + rbytes = rep.nItems * sizeof (short) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead16Pad (dpy, (short *) *prop, nbytes); + break; + + case 32: + nbytes = rep.nItems << 2; + rbytes = rep.nItems * sizeof (long) + 1; +- if (rbytes > 0 && +- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) ++ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) + _XRead32 (dpy, (long *) *prop, nbytes); + break; + +-- +1.7.2.5 + |