From f4a1e4bfe936b7b1c1364a8ebc769145f060ce25 Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Fri, 24 May 2013 09:14:10 +0000
Subject: main/libxrandr: fix CVE-2013-1986

ref #1931
---
 ...rflow-in-XRRQueryProviderProperty-CVE-201.patch | 55 ++++++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch

(limited to 'main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch')

diff --git a/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
new file mode 100644
index 000000000..d55f91def
--- /dev/null
+++ b/main/libxrandr/0004-integer-overflow-in-XRRQueryProviderProperty-CVE-201.patch
@@ -0,0 +1,55 @@
+From 1da5b838c2a8565d4d95a4e948f951ce6b466345 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 12 Apr 2013 21:44:59 -0700
+Subject: [PATCH 4/7] integer overflow in XRRQueryProviderProperty()
+ [CVE-2013-1986 2/4]
+
+Same problem as XRRQueryOutputProperty() that it was cloned from
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XrrProviderProperty.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/XrrProviderProperty.c b/src/XrrProviderProperty.c
+index 2d90a0a..dc699f6 100644
+--- a/src/XrrProviderProperty.c
++++ b/src/XrrProviderProperty.c
+@@ -31,6 +31,7 @@
+ #include <X11/extensions/render.h>
+ #include <X11/extensions/Xrender.h>
+ #include "Xrandrint.h"
++#include <limits.h>
+ 
+ Atom *
+ XRRListProviderProperties (Display *dpy, RRProvider provider, int *nprop)
+@@ -84,7 +85,7 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
+     XExtDisplayInfo		*info = XRRFindDisplay(dpy);
+     xRRQueryProviderPropertyReply rep;
+     xRRQueryProviderPropertyReq	*req;
+-    int				rbytes, nbytes;
++    unsigned int		rbytes, nbytes;
+     XRRPropertyInfo		*prop_info;
+ 
+     RRCheckExtension (dpy, info, NULL);
+@@ -102,10 +103,14 @@ XRRQueryProviderProperty (Display *dpy, RRProvider provider, Atom property)
+ 	return NULL;
+     }
+ 
+-    rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
+-    nbytes = rep.length << 2;
++    if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) {
++        rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long));
++        nbytes = rep.length << 2;
++
++        prop_info = Xmalloc (rbytes);
++    } else
++        prop_info = NULL;
+ 
+-    prop_info = (XRRPropertyInfo *) Xmalloc (rbytes);
+     if (prop_info == NULL) {
+ 	_XEatDataWords (dpy, rep.length);
+ 	UnlockDisplay (dpy);
+-- 
+1.8.2.3
+
-- 
cgit v1.2.3