diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:48:52 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 08:48:52 +0000 |
commit | adf915bf8b5c4ff1c07648f42cee8ab4d804dede (patch) | |
tree | 6c08fce45da9c21698b244140ba27cd582104170 /main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch | |
parent | c3c243cd3795568ab5dd6fb7648f225ef2dbf593 (diff) | |
download | aports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.bz2 aports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.xz |
main/libxext: fix CVE-2013-1982
ref #1931
Diffstat (limited to 'main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch')
-rw-r--r-- | main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch | 84 |
1 files changed, 84 insertions, 0 deletions
diff --git a/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch new file mode 100644 index 000000000..75c50e002 --- /dev/null +++ b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch @@ -0,0 +1,84 @@ +From 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 14:40:33 -0800 +Subject: [PATCH 4/7] several integer overflows in XdbeGetVisualInfo() + [CVE-2013-1982 3/6] + +If the number of screens or visuals reported by the server is large enough +that it overflows when multiplied by the size of the appropriate struct, +then memory corruption can occur when more bytes are read from the X server +than the size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xdbe.c | 27 +++++++++++++++++---------- + 1 file changed, 17 insertions(+), 10 deletions(-) + +diff --git a/src/Xdbe.c b/src/Xdbe.c +index 4b5fa18..016886c 100644 +--- a/src/Xdbe.c ++++ b/src/Xdbe.c +@@ -39,6 +39,8 @@ + #include <X11/extensions/extutil.h> + #include <X11/extensions/Xdbe.h> + #include <X11/extensions/dbeproto.h> ++#include <limits.h> ++#include "eat.h" + + static XExtensionInfo _dbe_info_data; + static XExtensionInfo *dbe_info = &_dbe_info_data; +@@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo ( + *num_screens = rep.m; + + /* allocate list of visual information to be returned */ +- if (!(scrVisInfo = +- (XdbeScreenVisualInfo *)Xmalloc( +- (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) { ++ if ((*num_screens > 0) && (*num_screens < 65536)) ++ scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo)); ++ else ++ scrVisInfo = NULL; ++ if (scrVisInfo == NULL) { ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +@@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo ( + + for (i = 0; i < *num_screens; i++) + { +- int nbytes; + int j; +- long c; ++ unsigned long c; + +- _XRead32 (dpy, &c, sizeof(CARD32)); +- scrVisInfo[i].count = c; ++ _XRead32 (dpy, (long *) &c, sizeof(CARD32)); + +- nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo); ++ if (c < 65536) { ++ scrVisInfo[i].count = c; ++ scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo)); ++ } else ++ scrVisInfo[i].visinfo = NULL; + + /* if we can not allocate the list of visual/depth info + * then free the lists that we already allocate as well + * as the visual info list itself + */ +- if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc( +- (unsigned)nbytes))) { ++ if (scrVisInfo[i].visinfo == NULL) { + for (j = 0; j < i; j++) { + Xfree ((char *)scrVisInfo[j].visinfo); + } + Xfree ((char *)scrVisInfo); ++ _XEatDataWords(dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; +-- +1.8.2.3 + |