aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:48:42 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:48:42 +0000
commitdecef4fe3c4a8fac3afe45c8beebfa95550484f7 (patch)
tree8eabee6c69c09e0120221e1c580e7f3a974ad91a /main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
parenta632a13327ab882c590bbae004b3be338edc14cf (diff)
downloadaports-decef4fe3c4a8fac3afe45c8beebfa95550484f7.tar.bz2
aports-decef4fe3c4a8fac3afe45c8beebfa95550484f7.tar.xz
main/libxxf86dga: fix CVE-2013-1991,CVE-2013-2000
ref #1931
Diffstat (limited to 'main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch')
-rw-r--r--main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch53
1 files changed, 53 insertions, 0 deletions
diff --git a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
new file mode 100644
index 0000000000..7a44a074ba
--- /dev/null
+++ b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch
@@ -0,0 +1,53 @@
+From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:38:25 -0700
+Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode()
+ [CVE-2013-1991 2/2]
+
+rep.length is a CARD32 and needs to be bounds checked before bit shifting
+and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
+to avoid integer overflow or underflow leading to underallocation and
+writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index b5145ee..90ca918 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -405,12 +405,15 @@ XDGASetMode(
+ if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+ if(rep.length) {
+ xXDGAModeInfo info;
+- int size;
++ unsigned long size;
+
+- size = rep.length << 2;
+- size -= sz_xXDGAModeInfo; /* get text size */
++ if ((rep.length < (INT_MAX >> 2)) &&
++ (rep.length > (sz_xXDGAModeInfo >> 2))) {
++ size = rep.length << 2;
++ size -= sz_xXDGAModeInfo; /* get text size */
+
+- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
++ dev = Xmalloc(sizeof(XDGADevice) + size);
++ }
+
+ if(dev) {
+ _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
+@@ -451,6 +454,8 @@ XDGASetMode(
+ dev->data += rep.offset;
+ }
+ /* not sure what to do if the allocation fails */
++ else
++ _XEatDataWords(dpy, rep.length);
+ }
+ }
+
+--
+1.8.2.3
+