diff options
Diffstat (limited to 'main/libxrender/CVE-2013-1987-3.patch')
| -rw-r--r-- | main/libxrender/CVE-2013-1987-3.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/main/libxrender/CVE-2013-1987-3.patch b/main/libxrender/CVE-2013-1987-3.patch new file mode 100644 index 0000000000..92e35d773e --- /dev/null +++ b/main/libxrender/CVE-2013-1987-3.patch @@ -0,0 +1,59 @@ +From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 06:02:11 +0000 +Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3] + +The length and numIndexValues members of the reply are both CARD32 and +need to be bounds checked before multiplying by sizeof (XIndexValue) to +avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- +diff --git a/src/Xrender.c b/src/Xrender.c +index a62c753..3102eb2 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy, + xRenderQueryPictIndexValuesReq *req; + xRenderQueryPictIndexValuesReply rep; + XIndexValue *values; +- int nbytes, nread, rlength, i; ++ unsigned int nbytes, nread, rlength, i; + + RenderCheckExtension (dpy, info, NULL); + +@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy, + return NULL; + } + +- /* request data length */ +- nbytes = (long)rep.length << 2; +- /* bytes of actual data in the request */ +- nread = rep.numIndexValues * SIZEOF (xIndexValue); +- /* size of array returned to application */ +- rlength = rep.numIndexValues * sizeof (XIndexValue); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) { ++ /* request data length */ ++ nbytes = rep.length << 2; ++ /* bytes of actual data in the request */ ++ nread = rep.numIndexValues * SIZEOF (xIndexValue); ++ /* size of array returned to application */ ++ rlength = rep.numIndexValues * sizeof (XIndexValue); ++ ++ /* allocate returned data */ ++ values = Xmalloc (rlength); ++ } else { ++ nbytes = nread = rlength = 0; ++ values = NULL; ++ } + +- /* allocate returned data */ +- values = (XIndexValue *)Xmalloc (rlength); + if (!values) + { + _XEatDataWords (dpy, rep.length); +-- +cgit v0.9.0.2-2-gbebe |