1 files changed, 43 insertions, 0 deletions

diff --git a/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch
new file mode 100644
index 0000000000..9123d7f3ba
--- /dev/null
+++ b/main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch
@@ -0,0 +1,43 @@
+From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:27:10 -0700
+Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
+
+When reading the name strings for the modes off the network, we never
+checked to make sure the length of the individual name strings didn't
+overflow the size of the buffer we'd allocated based on the reported
+rep.length for the total reply size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 8830266..b5145ee 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
+ 		modes[i].reserved1 = info.reserved1;
+ 		modes[i].reserved2 = info.reserved2;
+ 
+-		_XRead(dpy, offset, info.name_size);
+-		modes[i].name = offset;
+-		offset += info.name_size;
++		if (info.name_size > 0 && info.name_size <= size) {
++		    _XRead(dpy, offset, info.name_size);
++		    modes[i].name = offset;
++		    modes[i].name[info.name_size - 1] = '\0';
++		    offset += info.name_size;
++		    size -= info.name_size;
++		} else {
++		    _XEatData(dpy, info.name_size);
++		    modes[i].name = NULL;
++		}
+ 	      }
+ 	      *num = rep.number;
+ 	   } else
+-- 
+1.8.2.3
+