summaryrefslogtreecommitdiffstats
path: root/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:48:52 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 08:48:52 +0000
commitadf915bf8b5c4ff1c07648f42cee8ab4d804dede (patch)
tree6c08fce45da9c21698b244140ba27cd582104170 /main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
parentc3c243cd3795568ab5dd6fb7648f225ef2dbf593 (diff)
downloadaports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.bz2
aports-adf915bf8b5c4ff1c07648f42cee8ab4d804dede.tar.xz
main/libxext: fix CVE-2013-1982
ref #1931
Diffstat (limited to 'main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch')
-rw-r--r--main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch84
1 files changed, 84 insertions, 0 deletions
diff --git a/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
new file mode 100644
index 000000000..75c50e002
--- /dev/null
+++ b/main/libxext/0004-several-integer-overflows-in-XdbeGetVisualInfo-CVE-2.patch
@@ -0,0 +1,84 @@
+From 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 9 Mar 2013 14:40:33 -0800
+Subject: [PATCH 4/7] several integer overflows in XdbeGetVisualInfo()
+ [CVE-2013-1982 3/6]
+
+If the number of screens or visuals reported by the server is large enough
+that it overflows when multiplied by the size of the appropriate struct,
+then memory corruption can occur when more bytes are read from the X server
+than the size of the buffer we allocated to hold them.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/Xdbe.c | 27 +++++++++++++++++----------
+ 1 file changed, 17 insertions(+), 10 deletions(-)
+
+diff --git a/src/Xdbe.c b/src/Xdbe.c
+index 4b5fa18..016886c 100644
+--- a/src/Xdbe.c
++++ b/src/Xdbe.c
+@@ -39,6 +39,8 @@
+ #include <X11/extensions/extutil.h>
+ #include <X11/extensions/Xdbe.h>
+ #include <X11/extensions/dbeproto.h>
++#include <limits.h>
++#include "eat.h"
+
+ static XExtensionInfo _dbe_info_data;
+ static XExtensionInfo *dbe_info = &_dbe_info_data;
+@@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
+ *num_screens = rep.m;
+
+ /* allocate list of visual information to be returned */
+- if (!(scrVisInfo =
+- (XdbeScreenVisualInfo *)Xmalloc(
+- (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) {
++ if ((*num_screens > 0) && (*num_screens < 65536))
++ scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo));
++ else
++ scrVisInfo = NULL;
++ if (scrVisInfo == NULL) {
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+@@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
+
+ for (i = 0; i < *num_screens; i++)
+ {
+- int nbytes;
+ int j;
+- long c;
++ unsigned long c;
+
+- _XRead32 (dpy, &c, sizeof(CARD32));
+- scrVisInfo[i].count = c;
++ _XRead32 (dpy, (long *) &c, sizeof(CARD32));
+
+- nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo);
++ if (c < 65536) {
++ scrVisInfo[i].count = c;
++ scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo));
++ } else
++ scrVisInfo[i].visinfo = NULL;
+
+ /* if we can not allocate the list of visual/depth info
+ * then free the lists that we already allocate as well
+ * as the visual info list itself
+ */
+- if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc(
+- (unsigned)nbytes))) {
++ if (scrVisInfo[i].visinfo == NULL) {
+ for (j = 0; j < i; j++) {
+ Xfree ((char *)scrVisInfo[j].visinfo);
+ }
+ Xfree ((char *)scrVisInfo);
++ _XEatDataWords(dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+--
+1.8.2.3
+