aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch')
-rw-r--r--main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch52
1 files changed, 0 insertions, 52 deletions
diff --git a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch
deleted file mode 100644
index c3d190b546..0000000000
--- a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Sat, 13 Apr 2013 12:18:57 -0700
-Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
-
-number is a CARD32 and needs to be bounds checked before multiplying by
-sizeof(XDGAmode) to come up with the total size to allocate, to avoid
-integer overflow leading to underallocation and writing data from the
-network past the end of the allocated buffer.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XF86DGA2.c | 19 ++++++++++++-------
- 1 file changed, 12 insertions(+), 7 deletions(-)
-
-diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
-index c17c7f1..8830266 100644
---- a/src/XF86DGA2.c
-+++ b/src/XF86DGA2.c
-@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
- if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- if(rep.length) {
- xXDGAModeInfo info;
-- int i, size;
-+ unsigned long size = 0;
- char *offset;
-
-- size = rep.length << 2;
-- size -= rep.number * sz_xXDGAModeInfo; /* find text size */
-- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
-- offset = (char*)(&modes[rep.number]); /* start of text */
--
-+ if ((rep.length < (INT_MAX >> 2)) &&
-+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
-+ size = rep.length << 2;
-+ if (size > (rep.number * sz_xXDGAModeInfo)) {
-+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */
-+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
-+ offset = (char*)(&modes[rep.number]); /* start of text */
-+ }
-+ }
-
-- if(modes) {
-+ if (modes != NULL) {
-+ unsigned int i;
- for(i = 0; i < rep.number; i++) {
- _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
-
---
-1.8.2.3
-
generated by cgit v1.2.3 (git 2.25.1) at 2024-09-25 20:24:18 +0000