diff options
Diffstat (limited to 'main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch')
| -rw-r--r-- | main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch deleted file mode 100644 index 7a44a074ba..0000000000 --- a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 13 Apr 2013 12:38:25 -0700 -Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode() - [CVE-2013-1991 2/2] - -rep.length is a CARD32 and needs to be bounds checked before bit shifting -and subtracting sz_xXDGAModeInfo to come up with the total size to allocate, -to avoid integer overflow or underflow leading to underallocation and -writing data from the network past the end of the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/XF86DGA2.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c -index b5145ee..90ca918 100644 ---- a/src/XF86DGA2.c -+++ b/src/XF86DGA2.c -@@ -405,12 +405,15 @@ XDGASetMode( - if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { - if(rep.length) { - xXDGAModeInfo info; -- int size; -+ unsigned long size; - -- size = rep.length << 2; -- size -= sz_xXDGAModeInfo; /* get text size */ -+ if ((rep.length < (INT_MAX >> 2)) && -+ (rep.length > (sz_xXDGAModeInfo >> 2))) { -+ size = rep.length << 2; -+ size -= sz_xXDGAModeInfo; /* get text size */ - -- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size); -+ dev = Xmalloc(sizeof(XDGADevice) + size); -+ } - - if(dev) { - _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); -@@ -451,6 +454,8 @@ XDGASetMode( - dev->data += rep.offset; - } - /* not sure what to do if the allocation fails */ -+ else -+ _XEatDataWords(dpy, rep.length); - } - } - --- -1.8.2.3 - |