aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch')
-rw-r--r--main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch81
1 files changed, 0 insertions, 81 deletions
diff --git a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch b/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
deleted file mode 100644
index 661a464fd0..0000000000
--- a/main/libxtst/0002-integer-overflow-in-XRecordGetContext-CVE-2013-2063.patch
+++ /dev/null
@@ -1,81 +0,0 @@
-From e7e04b7be3f018ad636aba3a36bfc1cd80b9906d Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 11:27:26 -0700
-Subject: [PATCH 2/2] integer overflow in XRecordGetContext() [CVE-2013-2063]
-
-The nclients and nranges members of the reply are both CARD32 and need
-to be bounds checked before multiplying by the size of the structs to
-avoid integer overflow leading to underallocation and writing data from
-the network past the end of the allocated buffer.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XRecord.c | 32 +++++++++++++++++++++-----------
- 1 file changed, 21 insertions(+), 11 deletions(-)
-
-diff --git a/src/XRecord.c b/src/XRecord.c
-index ba628b6..5bbd5ac 100644
---- a/src/XRecord.c
-+++ b/src/XRecord.c
-@@ -420,11 +420,9 @@ XRecordGetContext(Display *dpy, XRecordContext context,
- XExtDisplayInfo *info = find_display (dpy);
- register xRecordGetContextReq *req;
- xRecordGetContextReply rep;
-- int count, i, rn;
-+ unsigned int count, i, rn;
- xRecordRange xrange;
-- XRecordRange *ranges = NULL;
- xRecordClientInfo xclient_inf;
-- XRecordClientInfo **client_inf, *client_inf_str = NULL;
- XRecordState *ret;
-
- XRecordCheckExtension (dpy, info, 0);
-@@ -454,13 +452,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
-
- if (count)
- {
-- client_inf = (XRecordClientInfo **) Xcalloc(count, sizeof(XRecordClientInfo*));
-- ret->client_info = client_inf;
-- if (client_inf != NULL) {
-- client_inf_str = (XRecordClientInfo *) Xmalloc(count*sizeof(XRecordClientInfo));
-+ XRecordClientInfo **client_inf = NULL;
-+ XRecordClientInfo *client_inf_str = NULL;
-+
-+ if (count < (INT_MAX / sizeof(XRecordClientInfo))) {
-+ client_inf = Xcalloc(count, sizeof(XRecordClientInfo *));
-+ if (client_inf != NULL)
-+ client_inf_str = Xmalloc(count * sizeof(XRecordClientInfo));
- }
-+ ret->client_info = client_inf;
- if (!client_inf || !client_inf_str)
- {
-+ free(client_inf);
- _XEatDataWords (dpy, rep.length);
- UnlockDisplay(dpy);
- XRecordFreeState(ret);
-@@ -476,11 +479,18 @@ XRecordGetContext(Display *dpy, XRecordContext context,
-
- if (xclient_inf.nRanges)
- {
-- client_inf_str[i].ranges = (XRecordRange**) Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange*));
-- if (client_inf_str[i].ranges != NULL) {
-- ranges = (XRecordRange*)
-- Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
-+ XRecordRange *ranges = NULL;
-+
-+ if (xclient_inf.nRanges < (INT_MAX / sizeof(XRecordRange))) {
-+ client_inf_str[i].ranges =
-+ Xcalloc(xclient_inf.nRanges, sizeof(XRecordRange *));
-+ if (client_inf_str[i].ranges != NULL)
-+ ranges =
-+ Xmalloc(xclient_inf.nRanges * sizeof(XRecordRange));
- }
-+ else
-+ client_inf_str[i].ranges = NULL;
-+
- if (!client_inf_str[i].ranges || !ranges) {
- /* XXX eat data */
- UnlockDisplay(dpy);
---
-1.8.2.3
-