diff options
Diffstat (limited to 'main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch')
| -rw-r--r-- | main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch | 86 |
1 files changed, 86 insertions, 0 deletions
diff --git a/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch new file mode 100644 index 0000000000..e510b705e0 --- /dev/null +++ b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch @@ -0,0 +1,86 @@ +From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 26 Apr 2013 23:59:25 -0700 +Subject: [PATCH 3/5] integer overflow in XpGetAttributes & XpGetOneAttribute + [CVE-2013-2062 1/3] + +stringLen & valueLen are CARD32s and need to be bounds checked before adding +one to them to come up with the total size to allocate, to avoid integer +overflow leading to underallocation and writing data from the network past +the end of the allocated buffer. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XpAttr.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +diff --git a/src/XpAttr.c b/src/XpAttr.c +index 6818daf..665e2e8 100644 +--- a/src/XpAttr.c ++++ b/src/XpAttr.c +@@ -48,6 +48,7 @@ + + #include <stdio.h> + #include <sys/stat.h> ++#include <limits.h> + + char * + XpGetAttributes ( +@@ -83,17 +84,18 @@ XpGetAttributes ( + /* + * Read pool and return to caller. + */ +- buf = Xmalloc( (unsigned) rep.stringLen + 1 ); ++ if (rep.stringLen < INT_MAX) ++ buf = Xmalloc(rep.stringLen + 1); ++ else ++ buf = NULL; + + if (!buf) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return( (char *) NULL ); /* malloc error */ ++ _XEatDataWords(dpy, rep.length); ++ } ++ else { ++ _XReadPad (dpy, (char *) buf, rep.stringLen ); ++ buf[rep.stringLen] = 0; + } +- +- _XReadPad (dpy, (char *) buf, (long) rep.stringLen ); +- +- buf[rep.stringLen] = 0; + + UnlockDisplay(dpy); + SyncHandle(); +@@ -144,18 +146,18 @@ XpGetOneAttribute ( + /* + * Read variable answer. + */ +- buf = Xmalloc( (unsigned) rep.valueLen + 1 ); ++ if (rep.valueLen < INT_MAX) ++ buf = Xmalloc(rep.valueLen + 1); ++ else ++ buf = NULL; + + if (!buf) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return( (char *) NULL ); /* malloc error */ ++ _XEatDataWords(dpy, rep.length); ++ } ++ else { ++ _XReadPad (dpy, (char *) buf, rep.valueLen); ++ buf[rep.valueLen] = 0; + } +- +- buf[rep.valueLen] = 0; +- +- _XReadPad (dpy, (char *) buf, (long) rep.valueLen ); +- buf[rep.valueLen] = 0; + + UnlockDisplay(dpy); + SyncHandle(); +-- +1.8.2.3 + |