aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:35:12 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:35:12 +0000
commitdfac4cbecc1c27d53504a0d9a80019146c9c9bfb (patch)
tree945b47f0220d364a49d091c098baeeb874db2226 /main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
parenta04d1c8ff925273f3caf3a46393cf73ac2b96ab5 (diff)
downloadaports-dfac4cbecc1c27d53504a0d9a80019146c9c9bfb.tar.bz2
aports-dfac4cbecc1c27d53504a0d9a80019146c9c9bfb.tar.xz
main/libxvmc: fix CVE-2013-1990,CVE-2013-1999
ref #1931
Diffstat (limited to 'main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch')
-rw-r--r--main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch111
1 files changed, 111 insertions, 0 deletions
diff --git a/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
new file mode 100644
index 0000000000..bba7803645
--- /dev/null
+++ b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
@@ -0,0 +1,111 @@
+From cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 00:47:57 -0700
+Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/XvMC.c | 24 ++++++++++++++++++------
+ 2 files changed, 24 insertions(+), 6 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index b44f80d..f9d59a1 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto)
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XVMC_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Checks for library functions.
+ AC_CHECK_FUNCS([shmat])
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index 5a4cf0d..b3e97ec 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -16,6 +16,18 @@
+ #include <sys/time.h>
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ static XExtensionInfo _xvmc_info_data;
+ static XExtensionInfo *xvmc_info = &_xvmc_info_data;
+@@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
+ surface_info[i].flags = sinfo.flags;
+ }
+ } else
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay (dpy);
+@@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes (
+ ret[i].scanline_order = Info.scanline_order;
+ }
+ } else
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay (dpy);
+@@ -278,7 +290,7 @@ Status _xvmc_create_context (
+ _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+ *priv_count = rep.length;
+ } else
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay (dpy);
+@@ -359,7 +371,7 @@ Status _xvmc_create_surface (
+ _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+ *priv_count = rep.length;
+ } else
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay (dpy);
+@@ -449,7 +461,7 @@ Status _xvmc_create_subpicture (
+ _XRead(dpy, (char*)(*priv_data), rep.length << 2);
+ *priv_count = rep.length;
+ } else
+- _XEatData(dpy, rep.length << 2);
++ _XEatDataWords(dpy, rep.length);
+ }
+
+ UnlockDisplay (dpy);
+@@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+
+ } else {
+
+- _XEatData(dpy, realSize);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return -1;
+--
+1.8.2.3
+