diff options
Diffstat (limited to 'main/libxfixes/CVE-2013-1983.patch')
| -rw-r--r-- | main/libxfixes/CVE-2013-1983.patch | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/main/libxfixes/CVE-2013-1983.patch b/main/libxfixes/CVE-2013-1983.patch deleted file mode 100644 index d0089d4f61..0000000000 --- a/main/libxfixes/CVE-2013-1983.patch +++ /dev/null @@ -1,70 +0,0 @@ -From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 17:24:08 +0000 -Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983] - -If the reported cursor dimensions or name length are too large, the -calculations to allocate memory for them may overflow, leaving us -writing beyond the bounds of the allocation. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- -diff --git a/src/Cursor.c b/src/Cursor.c -index 641b747..33590b7 100644 ---- a/src/Cursor.c -+++ b/src/Cursor.c -@@ -47,6 +47,7 @@ - #include <config.h> - #endif - #include "Xfixesint.h" -+#include <limits.h> - - void - XFixesSelectCursorInput (Display *dpy, -@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy) - XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy); - xXFixesGetCursorImageAndNameReq *req; - xXFixesGetCursorImageAndNameReply rep; -- int npixels; -- int nbytes_name; -- int nbytes, nread, rlength; -+ size_t npixels; -+ size_t nbytes_name; -+ size_t nbytes, nread, rlength; - XFixesCursorImage *image; - char *name; - -@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy) - } - npixels = rep.width * rep.height; - nbytes_name = rep.nbytes; -- /* reply data length */ -- nbytes = (long) rep.length << 2; -- /* bytes of actual data in the reply */ -- nread = (npixels << 2) + nbytes_name; -- /* size of data returned to application */ -- rlength = (sizeof (XFixesCursorImage) + -- npixels * sizeof (unsigned long) + -- nbytes_name + 1); -+ if ((rep.length < (INT_MAX >> 2)) && -+ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1) -+ - nbytes_name)) { -+ /* reply data length */ -+ nbytes = (size_t) rep.length << 2; -+ /* bytes of actual data in the reply */ -+ nread = (npixels << 2) + nbytes_name; -+ /* size of data returned to application */ -+ rlength = (sizeof (XFixesCursorImage) + -+ npixels * sizeof (unsigned long) + -+ nbytes_name + 1); - -- image = (XFixesCursorImage *) Xmalloc (rlength); -+ image = Xmalloc (rlength); -+ } else -+ image = NULL; - if (!image) - { - _XEatDataWords(dpy, rep.length); --- -cgit v0.9.0.2-2-gbebe |