diff options
Diffstat (limited to 'main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch')
| -rw-r--r-- | main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch | 81 |
1 files changed, 0 insertions, 81 deletions
diff --git a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch b/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch deleted file mode 100644 index 225924c639..0000000000 --- a/main/libxrandr/0005-integer-overflow-in-XRRGetOutputProperty-CVE-2013-19.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 289a1927949e6f278c18d115772e454837702e35 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 4 May 2013 21:37:49 -0700 -Subject: [PATCH 5/7] integer overflow in XRRGetOutputProperty() [CVE-2013-1986 - 3/4] - -If the reported number of properties is too large, the calculations -to allocate memory for them may overflow, leaving us returning less -memory to the caller than implied by the value written to *nitems. - -(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel) - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/XrrProperty.c | 22 ++++++++++++++-------- - 1 file changed, 14 insertions(+), 8 deletions(-) - -diff --git a/src/XrrProperty.c b/src/XrrProperty.c -index 50382bf..707a28d 100644 ---- a/src/XrrProperty.c -+++ b/src/XrrProperty.c -@@ -257,7 +257,7 @@ XRRGetOutputProperty (Display *dpy, RROutput output, - XExtDisplayInfo *info = XRRFindDisplay(dpy); - xRRGetOutputPropertyReply rep; - xRRGetOutputPropertyReq *req; -- long nbytes, rbytes; -+ unsigned long nbytes, rbytes; - - RRCheckExtension (dpy, info, 1); - -@@ -282,34 +282,40 @@ XRRGetOutputProperty (Display *dpy, RROutput output, - - *prop = (unsigned char *) NULL; - if (rep.propertyType != None) { -+ int format = rep.format; -+ -+ /* -+ * Protect against both integer overflow and just plain oversized -+ * memory allocation - no server should ever return this many props. -+ */ -+ if (rep.nItems >= (INT_MAX >> 4)) -+ format = -1; /* fall through to default error case */ -+ - /* - * One extra byte is malloced than is needed to contain the property - * data, but this last byte is null terminated and convenient for - * returning string properties, so the client doesn't then have to - * recopy the string to make it null terminated. - */ -- switch (rep.format) { -+ switch (format) { - case 8: - nbytes = rep.nItems; - rbytes = rep.nItems + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XReadPad (dpy, (char *) *prop, nbytes); - break; - - case 16: - nbytes = rep.nItems << 1; - rbytes = rep.nItems * sizeof (short) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XRead16Pad (dpy, (short *) *prop, nbytes); - break; - - case 32: - nbytes = rep.nItems << 2; - rbytes = rep.nItems * sizeof (long) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -+ if (rbytes > 0 && (*prop = Xmalloc (rbytes))) - _XRead32 (dpy, (long *) *prop, nbytes); - break; - --- -1.8.2.3 - |