aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:44:11 +0000
committerNatanael Copa <ncopa@alpinelinux.org>2013-05-24 09:44:11 +0000
commita632a13327ab882c590bbae004b3be338edc14cf (patch)
treed0a81c4701d5f4c93baed98904ae3422ddf0df53
parentdfac4cbecc1c27d53504a0d9a80019146c9c9bfb (diff)
downloadaports-a632a13327ab882c590bbae004b3be338edc14cf.tar.bz2
aports-a632a13327ab882c590bbae004b3be338edc14cf.tar.xz
main/libxxf86vm: fix CVE-2013-2001
ref #1931
-rw-r--r--main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch60
-rw-r--r--main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch134
-rw-r--r--main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch51
-rw-r--r--main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch28
-rw-r--r--main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch56
-rw-r--r--main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch125
-rw-r--r--main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch62
-rw-r--r--main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch34
-rw-r--r--main/libxxf86vm/APKBUILD61
9 files changed, 603 insertions, 8 deletions
diff --git a/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch b/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch
new file mode 100644
index 0000000000..cd5b67a977
--- /dev/null
+++ b/main/libxxf86vm/0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch
@@ -0,0 +1,60 @@
+From ef95f1c3737d9efc7d97fb1784f80ef3540a846b Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 15:13:06 -0700
+Subject: [PATCH 1/8] When Xcalloc() returns NULL, you don't need to Xfree() it
+
+I have no words to explain how this ever happened.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/XF86VMode.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index 4f19cf3..c0e50e6 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -256,7 +256,6 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ if (modeline->privsize > 0) {
+ if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) {
+ _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
+- Xfree(modeline->private);
+ return False;
+ }
+ _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
+@@ -321,7 +320,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
+ else
+ _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
+- Xfree(modelines);
+ return False;
+ }
+ mdinfptr = (XF86VidModeModeInfo *) (
+@@ -353,7 +351,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (!(modelines[i]->private =
+ Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
+ _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
+- Xfree(modelines[i]->private);
+ } else {
+ _XRead(dpy, (char*)modelines[i]->private,
+ oldxmdline.privsize * sizeof(INT32));
+@@ -384,7 +381,6 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (!(modelines[i]->private =
+ Xcalloc(xmdline.privsize, sizeof(INT32)))) {
+ _XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
+- Xfree(modelines[i]->private);
+ } else {
+ _XRead(dpy, (char*)modelines[i]->private,
+ xmdline.privsize * sizeof(INT32));
+@@ -1039,7 +1035,6 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
+
+ if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) {
+ _XEatData(dpy, (rep.clocks) * 4);
+- Xfree(dotclocks);
+ return False;
+ }
+
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch b/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch
new file mode 100644
index 0000000000..099ca99716
--- /dev/null
+++ b/main/libxxf86vm/0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch
@@ -0,0 +1,134 @@
+From a89b1ad3377bfef9bab52f15f98b00f6540d531a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 17:40:24 -0700
+Subject: [PATCH 2/8] Improve error handling in XF86VidModeGetMonitor()
+
+Ensure that when we return an error we unlock the display first, and
+NULL out any pointers we freed in error cleanup.
+
+Instead of adding these fixes to every error check, instead combine
+the error handling cleanup into a single copy.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/XF86VMode.c | 82 +++++++++++++++++++++++++++------------------------------
+ 1 file changed, 39 insertions(+), 43 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index c0e50e6..165f8ba 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -856,6 +856,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
+ xXF86VidModeGetMonitorReq *req;
+ CARD32 syncrange;
+ int i;
++ Bool result = True;
+
+ XF86VidModeCheckExtension (dpy, info, False);
+
+@@ -875,63 +876,58 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
+ monitor->bandwidth = (float)rep.bandwidth / 1e6;
+ #endif
+ if (rep.vendorLength) {
+- if (!(monitor->vendor = (char *)Xcalloc(rep.vendorLength + 1, 1))) {
+- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
+- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
+- return False;
+- }
++ monitor->vendor = Xcalloc(rep.vendorLength + 1, 1);
++ if (monitor->vendor == NULL)
++ result = False;
+ } else {
+ monitor->vendor = NULL;
+ }
+- if (rep.modelLength) {
+- if (!(monitor->model = Xcalloc(rep.modelLength + 1, 1))) {
+- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
+- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
+- if (monitor->vendor)
+- Xfree(monitor->vendor);
+- return False;
+- }
++ if (result && rep.modelLength) {
++ monitor->model = Xcalloc(rep.modelLength + 1, 1);
++ if (monitor->model == NULL)
++ result = False;
+ } else {
+ monitor->model = NULL;
+ }
+- if (!(monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange)))) {
+- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
+- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
+-
+- if (monitor->vendor)
+- Xfree(monitor->vendor);
+- if (monitor->model)
+- Xfree(monitor->model);
+- return False;
++ if (result) {
++ monitor->hsync = Xcalloc(rep.nhsync, sizeof(XF86VidModeSyncRange));
++ monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange));
++ if ((monitor->hsync == NULL) || (monitor->vsync == NULL))
++ result = False;
++ } else {
++ monitor->hsync = monitor->vsync = NULL;
+ }
+- if (!(monitor->vsync = Xcalloc(rep.nvsync, sizeof(XF86VidModeSyncRange)))) {
++ if (result == False) {
+ _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
+ ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
+- if (monitor->vendor)
+- Xfree(monitor->vendor);
+- if (monitor->model)
+- Xfree(monitor->model);
++ Xfree(monitor->vendor);
++ monitor->vendor = NULL;
++ Xfree(monitor->model);
++ monitor->model = NULL;
+ Xfree(monitor->hsync);
+- return False;
+- }
+- for (i = 0; i < rep.nhsync; i++) {
+- _XRead(dpy, (char *)&syncrange, 4);
+- monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
+- monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0;
++ monitor->hsync = NULL;
++ Xfree(monitor->vsync);
++ monitor->vsync = NULL;
+ }
+- for (i = 0; i < rep.nvsync; i++) {
+- _XRead(dpy, (char *)&syncrange, 4);
+- monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
+- monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0;
++ else {
++ for (i = 0; i < rep.nhsync; i++) {
++ _XRead(dpy, (char *)&syncrange, 4);
++ monitor->hsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
++ monitor->hsync[i].hi = (float)(syncrange >> 16) / 100.0;
++ }
++ for (i = 0; i < rep.nvsync; i++) {
++ _XRead(dpy, (char *)&syncrange, 4);
++ monitor->vsync[i].lo = (float)(syncrange & 0xFFFF) / 100.0;
++ monitor->vsync[i].hi = (float)(syncrange >> 16) / 100.0;
++ }
++ if (rep.vendorLength)
++ _XReadPad(dpy, monitor->vendor, rep.vendorLength);
++ if (rep.modelLength)
++ _XReadPad(dpy, monitor->model, rep.modelLength);
+ }
+- if (rep.vendorLength)
+- _XReadPad(dpy, monitor->vendor, rep.vendorLength);
+- if (rep.modelLength)
+- _XReadPad(dpy, monitor->model, rep.modelLength);
+-
+ UnlockDisplay(dpy);
+ SyncHandle();
+- return True;
++ return result;
+ }
+
+ Bool
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch
new file mode 100644
index 0000000000..3b6bc15b8a
--- /dev/null
+++ b/main/libxxf86vm/0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch
@@ -0,0 +1,51 @@
+From 8ed00bd0a7c44c7fece687e2566d920ea74ef809 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 17:52:12 -0700
+Subject: [PATCH 3/8] Unlock display before returning alloc error in
+ XF86VidModeGetModeLine()
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/XF86VMode.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index 165f8ba..28c79c1 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -203,6 +203,7 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ xXF86OldVidModeGetModeLineReply oldrep;
+ xXF86VidModeGetModeLineReq *req;
+ int majorVersion, minorVersion;
++ Bool result = True;
+
+ XF86VidModeCheckExtension (dpy, info, False);
+ XF86VidModeQueryVersion(dpy, &majorVersion, &minorVersion);
+@@ -254,17 +255,18 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ }
+
+ if (modeline->privsize > 0) {
+- if (!(modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)))) {
++ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++ if (modeline->private == NULL) {
+ _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
+- return False;
+- }
+- _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
++ result = False;
++ } else
++ _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
+ } else {
+ modeline->private = NULL;
+ }
+ UnlockDisplay(dpy);
+ SyncHandle();
+- return True;
++ return result;
+ }
+
+ Bool
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch
new file mode 100644
index 0000000000..3be28ee5b8
--- /dev/null
+++ b/main/libxxf86vm/0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch
@@ -0,0 +1,28 @@
+From 6c82906f25abcb0f8ec92bcdaf1872bd8b63ca5d Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 17:54:45 -0700
+Subject: [PATCH 4/8] Unlock display before returning alloc error in
+ XF86VidModeGetAllModeLines()
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/XF86VMode.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index 28c79c1..76276b6 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -322,6 +322,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
+ else
+ _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
++ UnlockDisplay(dpy);
++ SyncHandle();
+ return False;
+ }
+ mdinfptr = (XF86VidModeModeInfo *) (
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch b/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch
new file mode 100644
index 0000000000..b59be7bc1a
--- /dev/null
+++ b/main/libxxf86vm/0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch
@@ -0,0 +1,56 @@
+From d0355b28dd53fba6fb29c350e090ed4a73d4c480 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 17:58:28 -0700
+Subject: [PATCH 5/8] Unlock display before returning alloc error in
+ XF86VidModeGetDotClocks()
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ src/XF86VMode.c | 17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index 76276b6..1b907f4 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -1014,6 +1014,7 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
+ xXF86VidModeGetDotClocksReq *req;
+ int i, *dotclocks;
+ CARD32 dotclk;
++ Bool result = True;
+
+ XF86VidModeCheckExtension (dpy, info, False);
+
+@@ -1033,19 +1034,21 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
+ *maxclocksPtr = rep.maxclocks;
+ *flagsPtr = rep.flags;
+
+- if (!(dotclocks = (int*) Xcalloc(rep.clocks, sizeof(int)))) {
++ dotclocks = Xcalloc(rep.clocks, sizeof(int));
++ if (dotclocks == NULL) {
+ _XEatData(dpy, (rep.clocks) * 4);
+- return False;
++ result = False;
+ }
+-
+- for (i = 0; i < rep.clocks; i++) {
+- _XRead(dpy, (char*)&dotclk, 4);
+- dotclocks[i] = dotclk;
++ else {
++ for (i = 0; i < rep.clocks; i++) {
++ _XRead(dpy, (char*)&dotclk, 4);
++ dotclocks[i] = dotclk;
++ }
+ }
+ *clocksPtr = dotclocks;
+ UnlockDisplay(dpy);
+ SyncHandle();
+- return True;
++ return result;
+ }
+
+ Bool
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch b/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch
new file mode 100644
index 0000000000..b10d3b7135
--- /dev/null
+++ b/main/libxxf86vm/0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch
@@ -0,0 +1,125 @@
+From 284a88e21fc05a63466115b33efa411c60d988c9 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 14:24:12 -0700
+Subject: [PATCH 6/8] Use _XEatDataWords to avoid overflow of length
+ calculations
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac | 6 ++++++
+ src/XF86VMode.c | 35 +++++++++++++++++++++++++----------
+ 2 files changed, 31 insertions(+), 10 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index d8a23b0..b637788 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XXF86VM, xproto x11 xextproto xext [xf86vidmodeproto >= 2.2.99.1])
+
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XXF86VM_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ src/Makefile
+ man/Makefile
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index 1b907f4..bd54937 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -30,11 +30,27 @@ from Kaleb S. KEITHLEY.
+
+ /* THIS IS NOT AN X CONSORTIUM STANDARD */
+
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
++
+ #include <X11/Xlibint.h>
+ #include <X11/extensions/xf86vmproto.h>
+ #include <X11/extensions/xf86vmode.h>
+ #include <X11/extensions/Xext.h>
+ #include <X11/extensions/extutil.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++ if (n >= (ULONG_MAX >> 2))
++ _XIOError(dpy);
++# endif
++ _XEatData (dpy, n << 2);
++}
++#endif
+
+ #ifdef DEBUG
+ #include <stdio.h>
+@@ -257,7 +273,8 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ if (modeline->privsize > 0) {
+ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
+ if (modeline->private == NULL) {
+- _XEatData(dpy, (modeline->privsize) * sizeof(INT32));
++ _XEatDataWords(dpy, rep.length -
++ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
+ result = False;
+ } else
+ _XRead(dpy, (char*)modeline->private, modeline->privsize * sizeof(INT32));
+@@ -318,10 +335,8 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (!(modelines = (XF86VidModeModeInfo **) Xcalloc(rep.modecount,
+ sizeof(XF86VidModeModeInfo *)
+ +sizeof(XF86VidModeModeInfo)))) {
+- if (majorVersion < 2)
+- _XEatData(dpy, (rep.modecount) * sizeof(xXF86OldVidModeModeInfo));
+- else
+- _XEatData(dpy, (rep.modecount) * sizeof(xXF86VidModeModeInfo));
++ _XEatDataWords(dpy, rep.length -
++ ((SIZEOF(xXF86VidModeGetAllModeLinesReply) - SIZEOF(xReply)) >> 2));
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return False;
+@@ -354,7 +369,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (oldxmdline.privsize > 0) {
+ if (!(modelines[i]->private =
+ Xcalloc(oldxmdline.privsize, sizeof(INT32)))) {
+- _XEatData(dpy, (oldxmdline.privsize) * sizeof(INT32));
++ _XEatDataWords(dpy, oldxmdline.privsize);
+ } else {
+ _XRead(dpy, (char*)modelines[i]->private,
+ oldxmdline.privsize * sizeof(INT32));
+@@ -384,7 +399,7 @@ XF86VidModeGetAllModeLines(Display* dpy, int screen, int* modecount,
+ if (xmdline.privsize > 0) {
+ if (!(modelines[i]->private =
+ Xcalloc(xmdline.privsize, sizeof(INT32)))) {
+- _XEatData(dpy, (xmdline.privsize) * sizeof(INT32));
++ _XEatDataWords(dpy, xmdline.privsize);
+ } else {
+ _XRead(dpy, (char*)modelines[i]->private,
+ xmdline.privsize * sizeof(INT32));
+@@ -902,8 +917,7 @@ XF86VidModeGetMonitor(Display* dpy, int screen, XF86VidModeMonitor* monitor)
+ monitor->hsync = monitor->vsync = NULL;
+ }
+ if (result == False) {
+- _XEatData(dpy, (rep.nhsync + rep.nvsync) * 4 +
+- ((rep.vendorLength+3) & ~3) + ((rep.modelLength+3) & ~3));
++ _XEatDataWords(dpy, rep.length);
+ Xfree(monitor->vendor);
+ monitor->vendor = NULL;
+ Xfree(monitor->model);
+@@ -1036,7 +1050,8 @@ XF86VidModeGetDotClocks(Display* dpy, int screen, int *flagsPtr,
+
+ dotclocks = Xcalloc(rep.clocks, sizeof(int));
+ if (dotclocks == NULL) {
+- _XEatData(dpy, (rep.clocks) * 4);
++ _XEatDataWords(dpy, rep.length -
++ ((SIZEOF(xXF86VidModeGetDotClocksReply) - SIZEOF(xReply)) >> 2));
+ result = False;
+ }
+ else {
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
new file mode 100644
index 0000000000..71dca30fda
--- /dev/null
+++ b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
@@ -0,0 +1,62 @@
+From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 14:33:32 -0700
+Subject: [PATCH 7/8] memory corruption in XF86VidModeGetGammaRamp()
+ [CVE-2013-2001]
+
+We trusted the server not to return more data than the client said it had
+allocated room for, and would overflow the provided buffers if it did.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86VMode.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index bd54937..a32564e 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp (
+ XExtDisplayInfo *info = find_display (dpy);
+ xXF86VidModeGetGammaRampReq *req;
+ xXF86VidModeGetGammaRampReply rep;
++ Bool result = True;
+
+ XF86VidModeCheckExtension (dpy, info, False);
+
+@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp (
+ req->screen = screen;
+ req->size = size;
+ if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
+- UnlockDisplay (dpy);
+- SyncHandle ();
+- return False;
++ result = False;
+ }
+- if(rep.size) {
+- _XRead(dpy, (char*)red, rep.size << 1);
+- _XRead(dpy, (char*)green, rep.size << 1);
+- _XRead(dpy, (char*)blue, rep.size << 1);
++ else if (rep.size) {
++ if (rep.size <= size) {
++ _XRead(dpy, (char*)red, rep.size << 1);
++ _XRead(dpy, (char*)green, rep.size << 1);
++ _XRead(dpy, (char*)blue, rep.size << 1);
++ }
++ else {
++ _XEatDataWords(dpy, rep.length);
++ result = False;
++ }
+ }
+
+ UnlockDisplay(dpy);
+ SyncHandle();
+- return True;
++ return result;
+ }
+
+ Bool XF86VidModeGetGammaRampSize(
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch
new file mode 100644
index 0000000000..f879c5b116
--- /dev/null
+++ b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch
@@ -0,0 +1,34 @@
+From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 14:43:48 -0700
+Subject: [PATCH 8/8] avoid integer overflow in XF86VidModeGetModeLine()
+
+rep.privsize is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(INT32) to come up with the total size to allocate & read to avoid
+integer overflow, though it would not result in buffer overflow as the same
+calculation was used for both allocation & reading from the network.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86VMode.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index a32564e..fb94816 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock,
+ }
+
+ if (modeline->privsize > 0) {
+- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++ if (modeline->privsize < (INT_MAX / sizeof(INT32)))
++ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32));
++ else
++ modeline->private = NULL;
+ if (modeline->private == NULL) {
+ _XEatDataWords(dpy, rep.length -
+ ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2));
+--
+1.8.2.3
+
diff --git a/main/libxxf86vm/APKBUILD b/main/libxxf86vm/APKBUILD
index edcfc275f7..fec2991790 100644
--- a/main/libxxf86vm/APKBUILD
+++ b/main/libxxf86vm/APKBUILD
@@ -1,29 +1,74 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxxf86vm
pkgver=1.1.2
-pkgrel=0
+pkgrel=1
pkgdesc="X11 XFree86 video mode extension library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
-makedepends="pkgconfig xproto libx11-dev xf86vidmodeproto xextproto
- libxext-dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86vm-$pkgver.tar.bz2"
-
depends_dev="xf86vidmodeproto libx11-dev libxext-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86vm-$pkgver.tar.bz2
+ 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch
+ 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch
+ 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+ 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+ 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+ 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch
+ 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
+ 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch
+ "
+
+_builddir="$srcdir"/libXxf86vm-$pkgver
+prepare() {
+ cd "$_builddir"
+ for i in $source; do
+ case $i in
+ *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+ esac
+ done
+ libtoolize --force && aclocal && autoheader && autoconf \
+ && automake --add-missing
+}
build() {
- cd "$srcdir"/libXxf86vm-$pkgver
+ cd "$_builddir"
./configure --prefix=/usr || return 1
make || return 1
}
package() {
- cd "$srcdir"/libXxf86vm-$pkgver
+ cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
install -Dm644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
-md5sums="ffd93bcedd8b2b5aeabf184e7b91f326 libXxf86vm-1.1.2.tar.bz2"
+md5sums="ffd93bcedd8b2b5aeabf184e7b91f326 libXxf86vm-1.1.2.tar.bz2
+0147e68657e82274c85d9a76360f2f7e 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch
+93ea0ba28daa2b9a0446b21e317c454e 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch
+becbb6759243d4f5e7d87d611501b2e8 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+7cc84f83f064d575c8628f45afec2691 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+d16fbe7f3656d1c65aa74f4a45a8bbcd 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+722b2379320147190135f00eb12782c5 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch
+569c6902f1b15289b02d2f7a644a34cc 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
+a86c5904529d2ccfd92c12aef547136e 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch"
+sha256sums="a564172fb866b1b587bbccb7d041088931029845245e0d15c32ca7f1bb48fc84 libXxf86vm-1.1.2.tar.bz2
+b457de56462689eff9b2d5b61e07e767bcfe85b2e1c6317cf97fe0a420d95409 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch
+a5f97c643cb7a09c9fdb10c99445d968de038f49ad7ab145094a816991f09ec9 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch
+442d8fffc438a6e22114d77775df86bd8166e57f404f510d4e85824a8e8446bb 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+30b41220a8399c7961be7f5b0be83a18fb357100ca94b03e898f4a7b7cc0d00d 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+3e82f5d621c2d7e4fa7010cb28c5c2e35fd668fd9acc6db5a1a00c9c63067d19 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+e0e3298f6be09483b376a3da0ba5944befc9d46b1cb2b6e1c043c2eb832bcc91 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch
+531c281d602c67b1c702cecb35f948a97ee67fcbd429e723239ff240c69a8594 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
+62e4c96728c0adea4b5c2c9ce4c1089ffe6b57a5466a2789832681bc56d8cd47 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch"
+sha512sums="594243f2d0275a3036754e5cfd3f440f2faae78f6c836e6787129d54a559af0ceba6fefe18d98d6908aa75ea322875a188a3b3ffee7e3deec1168c7656e7a96a libXxf86vm-1.1.2.tar.bz2
+4b40e349407a105d07a54b72077b9a7d6371db743b377cbe246d7d21f7894b549fd2ebf77b0acac6520e513829491c07b3b76891d2fe450baf294caa7be72db3 0001-When-Xcalloc-returns-NULL-you-don-t-need-to-Xfree-it.patch
+09a8cd3b934b4c46c2143c50cde25e70b0800afcafa265c00f2118f4ce0f74eaffb8cede5027b1d065469da874f27adf2efb18500bb7b4fca70a911096f7db48 0002-Improve-error-handling-in-XF86VidModeGetMonitor.patch
+38260b81f4e052587a2f38a1d15202511070b7c9985ea374d732abd982953c98d1fbc96b56bd3b57afdae3728f5607e6cb83ee2b43a871c36f4d9366df058ca2 0003-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+f2a891c4aec0c2d640f92cf63a05f6655531089735c59d9b184b5ef460a850f6cf4f8dfce582cced12dd9d7b14f6e91e590bf9feef37ba714561b696b0e67485 0004-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+f54396628ff1ab4c31396960b3ee79311a00bd6147d1f76128f9c3f9dbe81bbfeaa7e37e4c1c7686cadfa2901e95e75e06e8f1c297a90f2287a0c4e22382beab 0005-Unlock-display-before-returning-alloc-error-in-XF86V.patch
+a4a260efeb52f00ddf2adb476f241a88b6809bda75e3b5477ca15caba24e2b9f0fa9fc6cf070fb2f3ba64f7b5d1b9372727533e80d61c1ae3da035952aa87741 0006-Use-_XEatDataWords-to-avoid-overflow-of-length-calcu.patch
+e54a46c0c0d54b08daa62578a814ed1dafaa66d5b2e13e2f50dc0dfb11dc061dc505e7001c39ce579f9f4d2ce29dd6b53c40109800c1692d7102f1c5b0583b24 0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
+43e2e04e1da133e986ec717e294a7f4fad803d7ff8cafa9a120649cfec30dc986516f0bd7389781cf0dfcda84c59dce63831c47f58f6d25ee6b488cced742d59 0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch"