diff options
Diffstat (limited to 'main/libxfixes/CVE-2013-1983.patch')
| -rw-r--r-- | main/libxfixes/CVE-2013-1983.patch | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/main/libxfixes/CVE-2013-1983.patch b/main/libxfixes/CVE-2013-1983.patch new file mode 100644 index 0000000000..d0089d4f61 --- /dev/null +++ b/main/libxfixes/CVE-2013-1983.patch @@ -0,0 +1,70 @@ +From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 17:24:08 +0000 +Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983] + +If the reported cursor dimensions or name length are too large, the +calculations to allocate memory for them may overflow, leaving us +writing beyond the bounds of the allocation. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- +diff --git a/src/Cursor.c b/src/Cursor.c +index 641b747..33590b7 100644 +--- a/src/Cursor.c ++++ b/src/Cursor.c +@@ -47,6 +47,7 @@ + #include <config.h> + #endif + #include "Xfixesint.h" ++#include <limits.h> + + void + XFixesSelectCursorInput (Display *dpy, +@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) + XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); + xXFixesGetCursorImageAndNameReq *req; + xXFixesGetCursorImageAndNameReply rep; +- int npixels; +- int nbytes_name; +- int nbytes, nread, rlength; ++ size_t npixels; ++ size_t nbytes_name; ++ size_t nbytes, nread, rlength; + XFixesCursorImage *image; + char *name; + +@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy) + } + npixels = rep.width * rep.height; + nbytes_name = rep.nbytes; +- /* reply data length */ +- nbytes = (long) rep.length << 2; +- /* bytes of actual data in the reply */ +- nread = (npixels << 2) + nbytes_name; +- /* size of data returned to application */ +- rlength = (sizeof (XFixesCursorImage) + +- npixels * sizeof (unsigned long) + +- nbytes_name + 1); ++ if ((rep.length < (INT_MAX >> 2)) && ++ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) ++ - nbytes_name)) { ++ /* reply data length */ ++ nbytes = (size_t) rep.length << 2; ++ /* bytes of actual data in the reply */ ++ nread = (npixels << 2) + nbytes_name; ++ /* size of data returned to application */ ++ rlength = (sizeof (XFixesCursorImage) + ++ npixels * sizeof (unsigned long) + ++ nbytes_name + 1); + +- image = (XFixesCursorImage *) Xmalloc (rlength); ++ image = Xmalloc (rlength); ++ } else ++ image = NULL; + if (!image) + { + _XEatDataWords(dpy, rep.length); +-- +cgit v0.9.0.2-2-gbebe |