diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:35:12 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:35:12 +0000 |
commit | dfac4cbecc1c27d53504a0d9a80019146c9c9bfb (patch) | |
tree | 945b47f0220d364a49d091c098baeeb874db2226 /main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch | |
parent | a04d1c8ff925273f3caf3a46393cf73ac2b96ab5 (diff) | |
download | aports-dfac4cbecc1c27d53504a0d9a80019146c9c9bfb.tar.bz2 aports-dfac4cbecc1c27d53504a0d9a80019146c9c9bfb.tar.xz |
main/libxvmc: fix CVE-2013-1990,CVE-2013-1999
ref #1931
Diffstat (limited to 'main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch')
-rw-r--r-- | main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch new file mode 100644 index 0000000000..bba7803645 --- /dev/null +++ b/main/libxvmc/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch @@ -0,0 +1,111 @@ +From cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:47:57 -0700 +Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/XvMC.c | 24 ++++++++++++++++++------ + 2 files changed, 24 insertions(+), 6 deletions(-) + +diff --git a/configure.ac b/configure.ac +index b44f80d..f9d59a1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XVMC_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + # Checks for library functions. + AC_CHECK_FUNCS([shmat]) + +diff --git a/src/XvMC.c b/src/XvMC.c +index 5a4cf0d..b3e97ec 100644 +--- a/src/XvMC.c ++++ b/src/XvMC.c +@@ -16,6 +16,18 @@ + #include <sys/time.h> + #include <X11/extensions/Xext.h> + #include <X11/extensions/extutil.h> ++#include <limits.h> ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _xvmc_info_data; + static XExtensionInfo *xvmc_info = &_xvmc_info_data; +@@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num) + surface_info[i].flags = sinfo.flags; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes ( + ret[i].scanline_order = Info.scanline_order; + } + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -278,7 +290,7 @@ Status _xvmc_create_context ( + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -359,7 +371,7 @@ Status _xvmc_create_surface ( + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -449,7 +461,7 @@ Status _xvmc_create_subpicture ( + _XRead(dpy, (char*)(*priv_data), rep.length << 2); + *priv_count = rep.length; + } else +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + + UnlockDisplay (dpy); +@@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, + + } else { + +- _XEatData(dpy, realSize); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return -1; +-- +1.8.2.3 + |