1 files changed, 40 insertions, 0 deletions

diff --git a/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch
new file mode 100644
index 0000000000..70ed6aef78
--- /dev/null
+++ b/main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch
@@ -0,0 +1,40 @@
+From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:45:41 -0700
+Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
+
+When reading the name strings for the mode off the network, we never
+checked to make sure the length of the name strings didn't overflow
+the size of the buffer we'd allocated based on the reported rep.length
+for the total reply size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 90ca918..4d13677 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -444,8 +444,14 @@ XDGASetMode(
+ 		dev->mode.reserved1 = info.reserved1;
+ 		dev->mode.reserved2 = info.reserved2;
+ 
+-		dev->mode.name = (char*)(&dev[1]);
+-		_XRead(dpy, dev->mode.name, info.name_size);
++		if (info.name_size > 0 && info.name_size <= size) {
++		    dev->mode.name = (char*)(&dev[1]);
++		    _XRead(dpy, dev->mode.name, info.name_size);
++		    dev->mode.name[info.name_size - 1] = '\0';
++		} else {
++		    dev->mode.name = NULL;
++		    _XEatDataWords(dpy, rep.length);
++		}
+ 
+ 		dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
+ 		dev->data = XDGAGetMappedMemory(screen);
+-- 
+1.8.2.3
+