diff options
Diffstat (limited to 'main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch')
-rw-r--r-- | main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch b/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch deleted file mode 100644 index c3d190b546..0000000000 --- a/main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch +++ /dev/null @@ -1,52 +0,0 @@ -From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 12:18:57 -0700 -Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2] - -number is a CARD32 and needs to be bounds checked before multiplying by -sizeof(XDGAmode) to come up with the total size to allocate, to avoid -integer overflow leading to underallocation and writing data from the -network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/XF86DGA2.c | 19 ++++++++++++------- - 1 file changed, 12 insertions(+), 7 deletions(-) - -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index c17c7f1..8830266 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes( - if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - if(rep.length) { - xXDGAModeInfo info; -- int i, size; -+ unsigned long size = 0; - char *offset; - -- size = rep.length << 2; -- size -= rep.number * sz_xXDGAModeInfo; /* find text size */ -- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size); -- offset = (char*)(&modes[rep.number]); /* start of text */ -- -+ if ((rep.length < (INT_MAX >> 2)) && -+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) { -+ size = rep.length << 2; -+ if (size > (rep.number * sz_xXDGAModeInfo)) { -+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */ -+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size); -+ offset = (char*)(&modes[rep.number]); /* start of text */ -+ } -+ } - -- if(modes) { -+ if (modes != NULL) { -+ unsigned int i; - for(i = 0; i < rep.number; i++) { - _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); - --- -1.8.2.3 - |