From 35abd83d4097101fbeeb4a212526848d22ecfa55 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Thu, 6 Jun 2013 16:10:23 +0000
Subject: main/libxp: upgrade to 1.0.2

---
 ...rflow-in-XpGetAttributes-XpGetOneAttribut.patch | 86 ----------------------
 1 file changed, 86 deletions(-)
 delete mode 100644 main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch

(limited to 'main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch')

diff --git a/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch b/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
deleted file mode 100644
index e510b705e0..0000000000
--- a/main/libxp/0003-integer-overflow-in-XpGetAttributes-XpGetOneAttribut.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From babb1fc823ab3be192c48fe115feeb0d57f74d05 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 26 Apr 2013 23:59:25 -0700
-Subject: [PATCH 3/5] integer overflow in XpGetAttributes & XpGetOneAttribute
- [CVE-2013-2062 1/3]
-
-stringLen & valueLen are CARD32s and need to be bounds checked before adding
-one to them to come up with the total size to allocate, to avoid integer
-overflow leading to underallocation and writing data from the network past
-the end of the allocated buffer.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
----
- src/XpAttr.c | 36 +++++++++++++++++++-----------------
- 1 file changed, 19 insertions(+), 17 deletions(-)
-
-diff --git a/src/XpAttr.c b/src/XpAttr.c
-index 6818daf..665e2e8 100644
---- a/src/XpAttr.c
-+++ b/src/XpAttr.c
-@@ -48,6 +48,7 @@
- 
- #include <stdio.h>
- #include <sys/stat.h>
-+#include <limits.h>
- 
- char *
- XpGetAttributes (
-@@ -83,17 +84,18 @@ XpGetAttributes (
-     /*
-      * Read pool and return to caller.
-      */
--    buf = Xmalloc( (unsigned) rep.stringLen + 1 );
-+    if (rep.stringLen < INT_MAX)
-+        buf = Xmalloc(rep.stringLen + 1);
-+    else
-+        buf = NULL;
- 
-     if (!buf) {
--        UnlockDisplay(dpy);
--        SyncHandle();
--        return( (char *) NULL ); /* malloc error */
-+        _XEatDataWords(dpy, rep.length);
-+    }
-+    else {
-+        _XReadPad (dpy, (char *) buf, rep.stringLen );
-+        buf[rep.stringLen] = 0;
-     }
--
--    _XReadPad (dpy, (char *) buf, (long) rep.stringLen );
--
--    buf[rep.stringLen] = 0;
- 
-     UnlockDisplay(dpy);
-     SyncHandle();
-@@ -144,18 +146,18 @@ XpGetOneAttribute (
-     /*
-      * Read variable answer.
-      */
--    buf = Xmalloc( (unsigned) rep.valueLen + 1 );
-+    if (rep.valueLen < INT_MAX)
-+        buf = Xmalloc(rep.valueLen + 1);
-+    else
-+        buf = NULL;
- 
-     if (!buf) {
--        UnlockDisplay(dpy);
--        SyncHandle();
--        return( (char *) NULL ); /* malloc error */
-+        _XEatDataWords(dpy, rep.length);
-+    }
-+    else {
-+        _XReadPad (dpy, (char *) buf, rep.valueLen);
-+        buf[rep.valueLen] = 0;
-     }
--
--    buf[rep.valueLen] = 0;
--
--    _XReadPad (dpy, (char *) buf, (long) rep.valueLen );
--    buf[rep.valueLen] = 0;
- 
-     UnlockDisplay(dpy);
-     SyncHandle();
--- 
-1.8.2.3
-
-- 
cgit v1.2.3