1 files changed, 34 insertions, 0 deletions

diff --git a/main/libxcursor/CVE-2013-2003.patch b/main/libxcursor/CVE-2013-2003.patch
new file mode 100644
index 0000000000..a4f41e1453
--- /dev/null
+++ b/main/libxcursor/CVE-2013-2003.patch
@@ -0,0 +1,34 @@
+From 8f677eaea05290531d007d1fec2768119926088d Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 04:17:28 +0000
+Subject: signedness bug & integer overflow in _XcursorFileHeaderCreate() [CVE-2013-2003]
+
+When parsing cursor files, a user defined (e.g. through environment
+variables) cursor file is opened and parsed.
+
+The header is read in _XcursorReadFileHeader(), which reads an unsigned
+int for the number of toc structures in the header, but it was being
+passed to _XcursorFileHeaderCreate() as a signed int to allocate those
+structures.  If the number was negative, it would pass the bounds check
+and could overflow the calculation for how much memory to allocate to
+store the data being read, leading to overflowing the buffer with the
+data read from the user controlled file.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/file.c b/src/file.c
+index efe6d4b..ce9de78 100644
+--- a/src/file.c
++++ b/src/file.c
+@@ -205,7 +205,7 @@ _XcursorFileHeaderDestroy (XcursorFileHeader *fileHeader)
+ }
+ 
+ static XcursorFileHeader *
+-_XcursorFileHeaderCreate (int ntoc)
++_XcursorFileHeaderCreate (XcursorUInt ntoc)
+ {
+     XcursorFileHeader	*fileHeader;
+ 
+--
+cgit v0.9.0.2-2-gbebe