diff options
Diffstat (limited to 'main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch')
| -rw-r--r-- | main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch b/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch new file mode 100644 index 000000000..c7e925e35 --- /dev/null +++ b/main/libxp/0005-integer-overflows-in-XpQueryScreens-CVE-2013-2062-3-.patch @@ -0,0 +1,64 @@ +From e111065f6dd790c820fa67ea31055b18c68481e3 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 26 Apr 2013 23:59:25 -0700 +Subject: [PATCH 5/5] integer overflows in XpQueryScreens() [CVE-2013-2062 3/3] + +listCount is a CARD32 that needs to be bounds checked before it is +multiplied by the size of the pointers to allocate, to avoid integer +overflow leading to underallocation and writing data from the network +past the end of the allocated buffer. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XpScreens.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/src/XpScreens.c b/src/XpScreens.c +index 815dfbf..b31e554 100644 +--- a/src/XpScreens.c ++++ b/src/XpScreens.c +@@ -42,6 +42,7 @@ + #include <X11/extensions/Printstr.h> + #include <X11/Xlibint.h> + #include "XpExtUtil.h" ++#include <limits.h> + + + Screen ** +@@ -82,19 +83,17 @@ XpQueryScreens ( + *list_count = rep.listCount; + + if (*list_count) { +- scr_list = (Screen **) +- Xmalloc( (unsigned) (sizeof(Screen *) * *list_count) ); ++ if (rep.listCount < (INT_MAX / sizeof(Screen *))) ++ scr_list = Xmalloc(sizeof(Screen *) * *list_count); ++ else ++ scr_list = NULL; + + if (!scr_list) { +- UnlockDisplay(dpy); +- SyncHandle(); +- return ( (Screen **) NULL ); /* malloc error */ ++ _XEatDataWords(dpy, rep.length); ++ goto out; + } + i = 0; + while(i < *list_count){ +- /* +- * Pull printer length and then name. +- */ + _XRead32 (dpy, &rootWindow, (long) sizeof(CARD32) ); + scr_list[i] = NULL; + for ( j = 0; j < XScreenCount(dpy); j++ ) { +@@ -118,6 +117,7 @@ XpQueryScreens ( + scr_list = (Screen **) NULL; + } + ++ out: + UnlockDisplay(dpy); + SyncHandle(); + +-- +1.8.2.3 + |