diff options
Diffstat (limited to 'main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch')
| -rw-r--r-- | main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch | 53 |
1 files changed, 53 insertions, 0 deletions
diff --git a/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch new file mode 100644 index 0000000000..7a44a074ba --- /dev/null +++ b/main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch @@ -0,0 +1,53 @@ +From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 12:38:25 -0700 +Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode() + [CVE-2013-1991 2/2] + +rep.length is a CARD32 and needs to be bounds checked before bit shifting +and subtracting sz_xXDGAModeInfo to come up with the total size to allocate, +to avoid integer overflow or underflow leading to underallocation and +writing data from the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86DGA2.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c +index b5145ee..90ca918 100644 +--- a/src/XF86DGA2.c ++++ b/src/XF86DGA2.c +@@ -405,12 +405,15 @@ XDGASetMode( + if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { + if(rep.length) { + xXDGAModeInfo info; +- int size; ++ unsigned long size; + +- size = rep.length << 2; +- size -= sz_xXDGAModeInfo; /* get text size */ ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.length > (sz_xXDGAModeInfo >> 2))) { ++ size = rep.length << 2; ++ size -= sz_xXDGAModeInfo; /* get text size */ + +- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size); ++ dev = Xmalloc(sizeof(XDGADevice) + size); ++ } + + if(dev) { + _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); +@@ -451,6 +454,8 @@ XDGASetMode( + dev->data += rep.offset; + } + /* not sure what to do if the allocation fails */ ++ else ++ _XEatDataWords(dpy, rep.length); + } + } + +-- +1.8.2.3 + |