diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:28:38 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:28:38 +0000 |
commit | a04d1c8ff925273f3caf3a46393cf73ac2b96ab5 (patch) | |
tree | 23a563825641ef144859bb0ada124d462b61b143 /main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch | |
parent | b262cf6c02f0e15dc88618b6a9e1298ace184057 (diff) | |
download | aports-a04d1c8ff925273f3caf3a46393cf73ac2b96ab5.tar.bz2 aports-a04d1c8ff925273f3caf3a46393cf73ac2b96ab5.tar.xz |
main/libxv: fix CVE-2013-1989,CVE-2013-2066
ref #1931
Diffstat (limited to 'main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch')
-rw-r--r-- | main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch new file mode 100644 index 000000000..2be6900c3 --- /dev/null +++ b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch @@ -0,0 +1,35 @@ +From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:03:03 -0700 +Subject: [PATCH 5/5] integer overflow in XvCreateImage() [CVE-2013-1989 3/3] + +num_planes is a CARD32 and needs to be bounds checked before bit shifting +and adding to sizeof(XvImage) to come up with the total size to allocate, +to avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/Xv.c b/src/Xv.c +index 0a07d9d..f268f8e 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -992,7 +992,10 @@ XvImage * XvCreateImage ( + return NULL; + } + +- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { ++ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) ++ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); ++ ++ if (ret != NULL) { + ret->id = id; + ret->width = rep.width; + ret->height = rep.height; +-- +1.8.2.3 + |