diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:11:30 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-06-06 16:11:30 +0000 |
| commit | 1d7e3d391539e3d00b567b40ae2e6f66a96d4301 (patch) | |
| tree | b5c963e015e0c46a55181be9928c06be976c880a /main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch | |
| parent | 35abd83d4097101fbeeb4a212526848d22ecfa55 (diff) | |
| download | aports-1d7e3d391539e3d00b567b40ae2e6f66a96d4301.tar.bz2 aports-1d7e3d391539e3d00b567b40ae2e6f66a96d4301.tar.xz | |
main/libxrandr: upgrade to 1.4.1
Diffstat (limited to 'main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch')
| -rw-r--r-- | main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch b/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch deleted file mode 100644 index 0d07f5459d..0000000000 --- a/main/libxrandr/0003-integer-overflow-in-XRRQueryOutputProperty-CVE-2013-.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 12 Apr 2013 21:44:59 -0700 -Subject: [PATCH 3/7] integer overflow in XRRQueryOutputProperty() - [CVE-2013-1986 1/4] - -rep.length is a CARD32, while rbytes was a signed int, so - rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); -could result in integer overflow, leading to an undersized malloc -and reading data off the connection and writing it past the end of -the allocated buffer. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/XrrProperty.c | 13 +++++++++---- - 1 file changed, 9 insertions(+), 4 deletions(-) - -diff --git a/src/XrrProperty.c b/src/XrrProperty.c -index 2b065b2..50382bf 100644 ---- a/src/XrrProperty.c -+++ b/src/XrrProperty.c -@@ -31,6 +31,7 @@ - #include <X11/extensions/render.h> - #include <X11/extensions/Xrender.h> - #include "Xrandrint.h" -+#include <limits.h> - - Atom * - XRRListOutputProperties (Display *dpy, RROutput output, int *nprop) -@@ -84,7 +85,7 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) - XExtDisplayInfo *info = XRRFindDisplay(dpy); - xRRQueryOutputPropertyReply rep; - xRRQueryOutputPropertyReq *req; -- int rbytes, nbytes; -+ unsigned int rbytes, nbytes; - XRRPropertyInfo *prop_info; - - RRCheckExtension (dpy, info, NULL); -@@ -102,10 +103,14 @@ XRRQueryOutputProperty (Display *dpy, RROutput output, Atom property) - return NULL; - } - -- rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long); -- nbytes = rep.length << 2; -+ if (rep.length < ((INT_MAX / sizeof(long)) - sizeof (XRRPropertyInfo))) { -+ rbytes = sizeof (XRRPropertyInfo) + (rep.length * sizeof (long)); -+ nbytes = rep.length << 2; -+ -+ prop_info = Xmalloc (rbytes); -+ } else -+ prop_info = NULL; - -- prop_info = (XRRPropertyInfo *) Xmalloc (rbytes); - if (prop_info == NULL) { - _XEatDataWords(dpy, rep.length); - UnlockDisplay (dpy); --- -1.8.2.3 - |