diff options
Diffstat (limited to 'main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch')
| -rw-r--r-- | main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch | 35 |
1 files changed, 35 insertions, 0 deletions
diff --git a/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch new file mode 100644 index 000000000..2be6900c3 --- /dev/null +++ b/main/libxv/0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch @@ -0,0 +1,35 @@ +From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 00:03:03 -0700 +Subject: [PATCH 5/5] integer overflow in XvCreateImage() [CVE-2013-1989 3/3] + +num_planes is a CARD32 and needs to be bounds checked before bit shifting +and adding to sizeof(XvImage) to come up with the total size to allocate, +to avoid integer overflow leading to underallocation and writing data from +the network past the end of the allocated buffer. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xv.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/Xv.c b/src/Xv.c +index 0a07d9d..f268f8e 100644 +--- a/src/Xv.c ++++ b/src/Xv.c +@@ -992,7 +992,10 @@ XvImage * XvCreateImage ( + return NULL; + } + +- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { ++ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) ++ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); ++ ++ if (ret != NULL) { + ret->id = id; + ret->width = rep.width; + ret->height = rep.height; +-- +1.8.2.3 + |