diff options
Diffstat (limited to 'main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch')
| -rw-r--r-- | main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch new file mode 100644 index 0000000000..0d07f5459d --- /dev/null +++ b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch @@ -0,0 +1,60 @@ +From 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 12 Apr 2013 21:44:59 -0700 +Subject: [PATCH 3/7] integer overflow in XRRQueryOutputProperty() + [CVE-2013-1986 1/4] + +rep.length is a CARD32, while rbytes was a signed int, so + rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); +could result in integer overflow, leading to an undersized malloc +and reading data off the connection and writing it past the end of +the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XrrProperty.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/XrrProperty.c b/src/XrrProperty.c +index 2b065b2..50382bf 100644 +--- a/src/XrrProperty.c ++++ b/src/XrrProperty.c +@@ -31,6 +31,7 @@ + #include <X11/extensions/render.h> + #include <X11/extensions/Xrender.h> + #include "Xrandrint.h" ++#include <limits.h> + + Atom * + XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) +@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) + XExtDisplayInfo *info = XRRFindDisplay(dpy); + xRRQueryOutputPropertyReply rep; + xRRQueryOutputPropertyReq *req; +- int rbytes, nbytes; ++ unsigned int rbytes, nbytes; + XRRPropertyInfo *prop_info; + + RRCheckExtension (dpy, info, NULL); +@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) + return NULL; + } + +- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); +- nbytes = rep.length << 2; ++ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { ++ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); ++ nbytes = rep.length << 2; ++ ++ prop_info = Xmalloc (rbytes); ++ } else ++ prop_info = NULL; + +- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); + if (prop_info == NULL) { + _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); +-- +1.8.2.3 + |