1 files changed, 40 insertions, 0 deletions

diff --git a/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch
new file mode 100644
index 0000000000..c21b1261fd
--- /dev/null
+++ b/main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch
@@ -0,0 +1,40 @@
+From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:53:49 -0700
+Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer()
+
+rep.length is a CARD32 and should be bounds checked before left shifting
+to come up with the size to allocate and read from the network, though
+since both functions take the same size, there should be no way for the
+buffer to be overflowed in this case.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 4d13677..9c656e6 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
+ 	return False;
+     }
+ 
+-    if(rep.length) {
+-	deviceName = Xmalloc(rep.length << 2);
+-	_XRead(dpy, deviceName, rep.length << 2);
++    if (rep.length) {
++	if (rep.length < (INT_MAX >> 2)) {
++	    unsigned long size = rep.length << 2;
++	    deviceName = Xmalloc(size);
++	    _XRead(dpy, deviceName, size);
++	    deviceName[size - 1] = '\0';
++	} else
++	    _XEatDataWords(dpy, rep.length);
+     }
+ 
+     ret = XDGAMapFramebuffer(screen, deviceName,
+-- 
+1.8.2.3
+