diff options
Diffstat (limited to 'main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch')
| -rw-r--r-- | main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch | 64 |
1 files changed, 0 insertions, 64 deletions
diff --git a/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch b/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch deleted file mode 100644 index c7e925e357..0000000000 --- a/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch +++ /dev/null @@ -1,64 +0,0 @@ -From e111065f6dd790c820fa67ea31055b18c68481e3 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 26 Apr 2013 23:59:25 -0700 -Subject: [PATCH 5/5] integer overflows in XpQueryScreens() [CVE-2013-2062 3/3] - -listCount is a CARD32 that needs to be bounds checked before it is -multiplied by the size of the pointers to allocate, to avoid integer -overflow leading to underallocation and writing data from the network -past the end of the allocated buffer. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/XpScreens.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/src/XpScreens.c b/src/XpScreens.c -index 815dfbf..b31e554 100644 ---- a/src/XpScreens.c -+++ b/src/XpScreens.c -@@ -42,6 +42,7 @@ - #include <X11/extensions/Printstr.h> - #include <X11/Xlibint.h> - #include "XpExtUtil.h" -+#include <limits.h> - - - Screen ** -@@ -82,19 +83,17 @@ XpQueryScreens ( - *list_count = rep.listCount; - - if (*list_count) { -- scr_list = (Screen **) -- Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) ); -+ if (rep.listCount < (INT_MAX / sizeof(Screen *))) -+ scr_list = Xmalloc(sizeof(Screen *) * *list_count); -+ else -+ scr_list = NULL; - - if (!scr_list) { -- UnlockDisplay(dpy); -- SyncHandle(); -- return ( (Screen **) NULL ); /* malloc error */ -+ _XEatDataWords(dpy, rep.length); -+ goto out; - } - i = 0; - while(i < *list_count){ -- /* -- * Pull printer length and then name. -- */ - _XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) ); - scr_list[i] = NULL; - for ( j = 0; j < XScreenCount(dpy); j++ ) { -@@ -118,6 +117,7 @@ XpQueryScreens ( - scr_list = (Screen **) NULL; - } - -+ out: - UnlockDisplay(dpy); - SyncHandle(); - --- -1.8.2.3 - |