aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch')
-rw-r--r--main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch34
1 files changed, 34 insertions, 0 deletions
diff --git a/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch
new file mode 100644
index 0000000000..f879c5b116
--- /dev/null
+++ b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch
@@ -0,0 +1,34 @@
+From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 14:43:48 -0700
+Subject: [PATCH 8/8] avoid integer overflow in XF86VidModeGetModeLine()
+
+rep.privsize is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(INT32) to come up with the total size to allocate & read to avoid
+integer overflow, though it would not result in buffer overflow as the same
+calculation was used for both allocation & reading from the network.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86VMode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index a32564e..fb94816 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ }
+
+ if (modeline->privsize > 0) {
+- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++ if (modeline->privsize < (INT_MAX / sizeof(INT32)))
++ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++ else
++ modeline->private = NULL;
+ if (modeline->private == NULL) {
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
+--
+1.8.2.3
+