From de43558cd1904b59c2358a05514aea1d20fab1c2 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Fri, 24 May 2013 08:26:58 +0000
Subject: main/libxrender: fix CVE-2013-1987

ref #1931
fixes #1960
---
 main/libxrender/APKBUILD              | 40 ++++++++++++++---
 main/libxrender/CVE-2013-1987-1.patch | 83 +++++++++++++++++++++++++++++++++++
 main/libxrender/CVE-2013-1987-2.patch | 81 ++++++++++++++++++++++++++++++++++
 main/libxrender/CVE-2013-1987-3.patch | 59 +++++++++++++++++++++++++
 4 files changed, 256 insertions(+), 7 deletions(-)
 create mode 100644 main/libxrender/CVE-2013-1987-1.patch
 create mode 100644 main/libxrender/CVE-2013-1987-2.patch
 create mode 100644 main/libxrender/CVE-2013-1987-3.patch

(limited to 'main/libxrender')

diff --git a/main/libxrender/APKBUILD b/main/libxrender/APKBUILD
index 6e9a8cd59..e1349f439 100644
--- a/main/libxrender/APKBUILD
+++ b/main/libxrender/APKBUILD
@@ -1,26 +1,52 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxrender
 pkgver=0.9.7
-pkgrel=0
+pkgrel=1
 pkgdesc="X Rendering Extension client library"
 url="http://xorg.freedesktop.org/"
 arch="all"
 license="custom"
 subpackages="$pkgname-dev"
 depends=
-makedepends="pkgconfig libx11-dev renderproto"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2"
-
 depends_dev="xproto renderproto libx11-dev"
+makedepends="$depends_dev"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2
+	CVE-2013-1987-1.patch
+	CVE-2013-1987-2.patch
+	CVE-2013-1987-3.patch
+	"
+
+
+_builddir="$srcdir"/libXrender-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+}
+
 build() { 
-	cd "$srcdir"/libXrender-$pkgver
+	cd "$_builddir"
 	./configure --prefix=/usr
 	make || return 1
 }
 
 package() {
-	cd "$srcdir"/libXrender-$pkgver
+	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 }
-md5sums="ee62f4c7f0f16ced4da63308963ccad2  libXrender-0.9.7.tar.bz2"
+md5sums="ee62f4c7f0f16ced4da63308963ccad2  libXrender-0.9.7.tar.bz2
+5d82b028bed7456b38f1d001a222b1d8  CVE-2013-1987-1.patch
+8e0adc5dcbf89ea1d0c7fe0e0dd5e8d7  CVE-2013-1987-2.patch
+b3bac65a7f41bcacbf5fd8278ac709b6  CVE-2013-1987-3.patch"
+sha256sums="f9b46b93c9bc15d5745d193835ac9ba2a2b411878fad60c504bbb8f98492bbe6  libXrender-0.9.7.tar.bz2
+4a0b2e6d693c86eab43aa6e6720de149298ea67b1ccc10a723bfb9db3787703a  CVE-2013-1987-1.patch
+7ee9c01f3f20f817c37210147afc50038541bea53b270ce2c3eacf9969821a39  CVE-2013-1987-2.patch
+141096ee1b739e2ca4b270215dbf1ad9ed57ad9d0b405256241f0fb8e19a61ce  CVE-2013-1987-3.patch"
+sha512sums="b52cebf6ebcdfc1e321b4ec7a18ba781cd05ddab9bb191532ea4174848fb7bb7f5bc7e609944e6e193f7b808e5b50316ba74b5bf1024e61b11358ac1887b44dc  libXrender-0.9.7.tar.bz2
+5ec8fa4531271e9c6904b00fa828a82e3b2904d8ea7f8803da4175b516f9a4b268e44fd90607244850affd9899f12f107bb038b02529983c04c5968a10d74a0d  CVE-2013-1987-1.patch
+45778c206f35b3ccc814bf68713582e1aeda45f182678ca88e194b0eb45f8f930732d465b3d10ee475892c5b7e0a9a67354b0036e0ffe2989c929c27f828d52b  CVE-2013-1987-2.patch
+8bee48d9d23ce10aa8076a1c93edd2f2f2b221421ef4d706cacf2f4b23ccb7aea64cfca9fe7766820c8473208fc25d573d72f6a717aa5a0bad9da4297c15af05  CVE-2013-1987-3.patch"
diff --git a/main/libxrender/CVE-2013-1987-1.patch b/main/libxrender/CVE-2013-1987-1.patch
new file mode 100644
index 000000000..706356a74
--- /dev/null
+++ b/main/libxrender/CVE-2013-1987-1.patch
@@ -0,0 +1,83 @@
+From e52853974664289fe42a92909667ed77cfa1cec5 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 05:45:20 +0000
+Subject: integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
+
+The length, numFilters & numAliases members of the reply are all CARD32
+and need to be bounds checked before multiplying & adding them together
+to come up with the total size to allocate, to avoid integer overflow
+leading to underallocation and writing data from the network past the
+end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Filter.c b/src/Filter.c
+index 924b2a3..edfa572 100644
+--- a/src/Filter.c
++++ b/src/Filter.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+ #include "Xrenderint.h"
++#include <limits.h>
+ 
+ XFilters *
+ XRenderQueryFilters (Display *dpy, Drawable drawable)
+@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+     char			*name;
+     char			len;
+     int				i;
+-    long			nbytes, nbytesAlias, nbytesName;
++    unsigned long		nbytes, nbytesAlias, nbytesName;
+ 
+     if (!RenderHasExtension (info))
+ 	return NULL;
+@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+ 	SyncHandle ();
+ 	return NULL;
+     }
+-    /*
+-     * Compute total number of bytes for filter names
+-     */
+-    nbytes = (long)rep.length << 2;
+-    nbytesAlias = rep.numAliases * 2;
+-    if (rep.numAliases & 1)
+-	nbytesAlias += 2;
+-    nbytesName = nbytes - nbytesAlias;
+ 
+     /*
+-     * Allocate one giant block for the whole data structure
++     * Limit each component of combined size to 1/4 the max, which is far
++     * more than they should ever possibly need.
+      */
+-    filters = Xmalloc (sizeof (XFilters) +
+-		       rep.numFilters * sizeof (char *) +
+-		       rep.numAliases * sizeof (short) +
+-		       nbytesName);
++    if ((rep.length < (INT_MAX >> 2)) &&
++	(rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
++	(rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
++	/*
++	 * Compute total number of bytes for filter names
++	 */
++	nbytes = (unsigned long)rep.length << 2;
++	nbytesAlias = rep.numAliases * 2;
++	if (rep.numAliases & 1)
++	    nbytesAlias += 2;
++	nbytesName = nbytes - nbytesAlias;
++
++	/*
++	 * Allocate one giant block for the whole data structure
++	 */
++	filters = Xmalloc (sizeof (XFilters) +
++			   (rep.numFilters * sizeof (char *)) +
++			   (rep.numAliases * sizeof (short)) +
++			   nbytesName);
++    } else
++	filters = NULL;
+ 
+     if (!filters)
+     {
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/main/libxrender/CVE-2013-1987-2.patch b/main/libxrender/CVE-2013-1987-2.patch
new file mode 100644
index 000000000..4a0980dd7
--- /dev/null
+++ b/main/libxrender/CVE-2013-1987-2.patch
@@ -0,0 +1,81 @@
+From 9e577d40322b9e3d8bdefec0eefa44d8ead451a4 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 06:02:11 +0000
+Subject: integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
+
+The length, numFormats, numScreens, numDepths, and numVisuals members of
+the reply are all CARD32 and need to be bounds checked before multiplying
+and adding them together to come up with the total size to allocate, to
+avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 5c8e5f5..a62c753 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -26,6 +26,7 @@
+ #include <config.h>
+ #endif
+ #include "Xrenderint.h"
++#include <limits.h>
+ 
+ XRenderExtInfo XRenderExtensionInfo;
+ char XRenderExtensionName[] = RENDER_NAME;
+@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
+     CARD32			*xSubpixel;
+     void			*xData;
+     int				nf, ns, nd, nv;
+-    int				rlength;
+-    int				nbytes;
++    unsigned long		rlength;
++    unsigned long		nbytes;
+ 
+     RenderCheckExtension (dpy, info, 0);
+     LockDisplay (dpy);
+@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
+     if (async_state.major_version == 0 && async_state.minor_version < 6)
+ 	rep.numSubpixel = 0;
+ 
+-    xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
+-				   rep.numFormats * sizeof (XRenderPictFormat) +
+-				   rep.numScreens * sizeof (XRenderScreen) +
+-				   rep.numDepths * sizeof (XRenderDepth) +
+-				   rep.numVisuals * sizeof (XRenderVisual));
+-    rlength = (rep.numFormats * sizeof (xPictFormInfo) +
+-	       rep.numScreens * sizeof (xPictScreen) +
+-	       rep.numDepths * sizeof (xPictDepth) +
+-	       rep.numVisuals * sizeof (xPictVisual) +
+-	       rep.numSubpixel * 4);
+-    xData = (void *) Xmalloc (rlength);
+-    nbytes = (int) rep.length << 2;
++    if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
++	(rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
++	(rep.numDepths  < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
++	(rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
++	(rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
++	(rep.length < (INT_MAX >> 2)) ) {
++	xri = Xmalloc (sizeof (XRenderInfo) +
++		       (rep.numFormats * sizeof (XRenderPictFormat)) +
++		       (rep.numScreens * sizeof (XRenderScreen)) +
++		       (rep.numDepths * sizeof (XRenderDepth)) +
++		       (rep.numVisuals * sizeof (XRenderVisual)));
++	rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
++		   (rep.numScreens * sizeof (xPictScreen)) +
++		   (rep.numDepths * sizeof (xPictDepth)) +
++		   (rep.numVisuals * sizeof (xPictVisual)) +
++		   (rep.numSubpixel * 4));
++	xData = Xmalloc (rlength);
++	nbytes = (unsigned long) rep.length << 2;
++    } else {
++	xri = NULL;
++	xData = NULL;
++	rlength = nbytes = 0;
++    }
+ 
+     if (!xri || !xData || nbytes < rlength)
+     {
+--
+cgit v0.9.0.2-2-gbebe
diff --git a/main/libxrender/CVE-2013-1987-3.patch b/main/libxrender/CVE-2013-1987-3.patch
new file mode 100644
index 000000000..92e35d773
--- /dev/null
+++ b/main/libxrender/CVE-2013-1987-3.patch
@@ -0,0 +1,59 @@
+From 786f78fd8df6d165ccbc81f306fd9f22b5c1551c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 06:02:11 +0000
+Subject: integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
+
+The length and numIndexValues members of the reply are both CARD32 and
+need to be bounds checked before multiplying by sizeof (XIndexValue) to
+avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+diff --git a/src/Xrender.c b/src/Xrender.c
+index a62c753..3102eb2 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display			*dpy,
+     xRenderQueryPictIndexValuesReq	*req;
+     xRenderQueryPictIndexValuesReply	rep;
+     XIndexValue				*values;
+-    int					nbytes, nread, rlength, i;
++    unsigned int			nbytes, nread, rlength, i;
+ 
+     RenderCheckExtension (dpy, info, NULL);
+ 
+@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display			*dpy,
+ 	return NULL;
+     }
+ 
+-    /* request data length */
+-    nbytes = (long)rep.length << 2;
+-    /* bytes of actual data in the request */
+-    nread = rep.numIndexValues * SIZEOF (xIndexValue);
+-    /* size of array returned to application */
+-    rlength = rep.numIndexValues * sizeof (XIndexValue);
++    if ((rep.length < (INT_MAX >> 2)) &&
++	(rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
++	/* request data length */
++	nbytes = rep.length << 2;
++	/* bytes of actual data in the request */
++	nread = rep.numIndexValues * SIZEOF (xIndexValue);
++	/* size of array returned to application */
++	rlength = rep.numIndexValues * sizeof (XIndexValue);
++
++	/* allocate returned data */
++	values = Xmalloc (rlength);
++    } else {
++	nbytes = nread = rlength = 0;
++	values = NULL;
++    }
+ 
+-    /* allocate returned data */
+-    values = (XIndexValue *)Xmalloc (rlength);
+     if (!values)
+     {
+ 	_XEatDataWords (dpy, rep.length);
+--
+cgit v0.9.0.2-2-gbebe
-- 
cgit v1.2.3