diff options
Diffstat (limited to 'main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch')
| -rw-r--r-- | main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch b/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch new file mode 100644 index 0000000000..739b5ce401 --- /dev/null +++ b/main/libxi/0011-integer-overflow-in-XIGetProperty-CVE-2013-1984-5-8.patch @@ -0,0 +1,59 @@ +From dcb6742eea1e709aa1cc6d5cbbcfb5b060bb067c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 22:55:23 -0800 +Subject: [PATCH 11/16] integer overflow in XIGetProperty() [CVE-2013-1984 + 5/8] + +If the number of items reported by the server is large enough that +it overflows when multiplied by the size of the appropriate item type, +then memory corruption can occur when more bytes are copied from the +X server reply than the size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> +(cherry picked from commit 242f92b490a695fbab244af5bad11b71f897c732) +(cherry picked from commit 6d992e2b31f58e716e63f9a1e5d910a66f51a11b) +--- + src/XIProperties.c | 11 +++++++---- + 1 files changed, 7 insertions(+), 4 deletions(-) + +diff --git a/src/XIProperties.c b/src/XIProperties.c +index 5e58fb6..32436d1 100644 +--- a/src/XIProperties.c ++++ b/src/XIProperties.c +@@ -38,6 +38,7 @@ + #include <X11/extensions/XInput2.h> + #include <X11/extensions/extutil.h> + #include "XIint.h" ++#include <limits.h> + + Atom* + XIListProperties(Display* dpy, int deviceid, int *num_props_return) +@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + { + xXIGetPropertyReq *req; + xXIGetPropertyReply rep; +- long nbytes, rbytes; ++ unsigned long nbytes, rbytes; + + XExtDisplayInfo *info = XInput_find_display(dpy); + +@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, + * recopy the string to make it null terminated. + */ + +- nbytes = rep.num_items * rep.format/8; +- rbytes = nbytes + 1; +- *data = Xmalloc(rbytes); ++ if (rep.num_items < (INT_MAX / (rep.format/8))) { ++ nbytes = rep.num_items * rep.format/8; ++ rbytes = nbytes + 1; ++ *data = Xmalloc(rbytes); ++ } + + if (!(*data)) { + _XEatDataWords(dpy, rep.length); +-- +1.7.7.1 + |