From de43558cd1904b59c2358a05514aea1d20fab1c2 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Fri, 24 May 2013 08:26:58 +0000 Subject: main/libxrender: fix CVE-2013-1987 ref #1931 fixes #1960 --- main/libxrender/CVE-2013-1987-3.patch | 59 +++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 main/libxrender/CVE-2013-1987-3.patch (limited to 'main/libxrender/CVE-2013-1987-3.patch') diff --git a/main/libxrender/CVE-2013-1987-3.patch b/main/libxrender/CVE-2013-1987-3.patch new file mode 100644 index 000000000..92e35d773 --- /dev/null +++ b/main/libxrender/CVE-2013-1987-3.patch @@ -0,0 +1,59 @@ +From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Sat, 13 Apr 2013 06:02:11 +0000 +Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3] + +The length and numIndexValues members of the reply are both CARD32 and +need to be bounds checked before multiplying by sizeof (XIndexValue) to +avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +--- +diff --git a/src/Xrender.c b/src/Xrender.c +index a62c753..3102eb2 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy, + xRenderQueryPictIndexValuesReq *req; + xRenderQueryPictIndexValuesReply rep; + XIndexValue *values; +- int nbytes, nread, rlength, i; ++ unsigned int nbytes, nread, rlength, i; + + RenderCheckExtension (dpy, info, NULL); + +@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy, + return NULL; + } + +- /* request data length */ +- nbytes = (long)rep.length << 2; +- /* bytes of actual data in the request */ +- nread = rep.numIndexValues * SIZEOF (xIndexValue); +- /* size of array returned to application */ +- rlength = rep.numIndexValues * sizeof (XIndexValue); ++ if ((rep.length < (INT_MAX >> 2)) && ++ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) { ++ /* request data length */ ++ nbytes = rep.length << 2; ++ /* bytes of actual data in the request */ ++ nread = rep.numIndexValues * SIZEOF (xIndexValue); ++ /* size of array returned to application */ ++ rlength = rep.numIndexValues * sizeof (XIndexValue); ++ ++ /* allocate returned data */ ++ values = Xmalloc (rlength); ++ } else { ++ nbytes = nread = rlength = 0; ++ values = NULL; ++ } + +- /* allocate returned data */ +- values = (XIndexValue *)Xmalloc (rlength); + if (!values) + { + _XEatDataWords (dpy, rep.length); +-- +cgit v0.9.0.2-2-gbebe -- cgit v1.2.3