diff options
| author | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:23:39 +0000 |
|---|---|---|
| committer | Natanael Copa <ncopa@alpinelinux.org> | 2013-05-24 09:23:39 +0000 |
| commit | b262cf6c02f0e15dc88618b6a9e1298ace184057 (patch) | |
| tree | 874e073def3c2d40af28279fdc19026ff24ebfab /main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch | |
| parent | f4a1e4bfe936b7b1c1364a8ebc769145f060ce25 (diff) | |
| download | aports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.bz2 aports-b262cf6c02f0e15dc88618b6a9e1298ace184057.tar.xz | |
main/libxres: fix CVE-2013-1988
ref #1931
Diffstat (limited to 'main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch')
| -rw-r--r-- | main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch new file mode 100644 index 0000000000..9f22c4fa5b --- /dev/null +++ b/main/libxres/0002-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch @@ -0,0 +1,75 @@ +From 69457711050ac3a53859ef11790a7ac815cd7d94 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 10:34:22 -0700 +Subject: [PATCH 2/4] Use _XEatDataWords to avoid overflow of rep.length + shifting + +rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + configure.ac | 6 ++++++ + src/XRes.c | 16 ++++++++++++++-- + 2 files changed, 20 insertions(+), 2 deletions(-) + +diff --git a/configure.ac b/configure.ac +index 90205cc..f68b689 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -50,6 +50,12 @@ XORG_CHECK_MALLOC_ZERO + # Obtain compiler/linker options for depedencies + PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= 1.2.0]) + ++# Check for _XEatDataWords function that may be patched into older Xlib release ++SAVE_LIBS="$LIBS" ++LIBS="$XRES_LIBS" ++AC_CHECK_FUNCS([_XEatDataWords]) ++LIBS="$SAVE_LIBS" ++ + AC_CONFIG_FILES([Makefile + src/Makefile + man/Makefile +diff --git a/src/XRes.c b/src/XRes.c +index 1744196..1ab1db8 100644 +--- a/src/XRes.c ++++ b/src/XRes.c +@@ -13,6 +13,18 @@ + #include <X11/extensions/XResproto.h> + #include <X11/extensions/XRes.h> + ++#include <limits.h> ++ ++#ifndef HAVE__XEATDATAWORDS ++static inline void _XEatDataWords(Display *dpy, unsigned long n) ++{ ++# ifndef LONG64 ++ if (n >= (ULONG_MAX >> 2)) ++ _XIOError(dpy); ++# endif ++ _XEatData (dpy, n << 2); ++} ++#endif + + static XExtensionInfo _xres_ext_info_data; + static XExtensionInfo *xres_ext_info = &_xres_ext_info_data; +@@ -131,7 +143,7 @@ Status XResQueryClients ( + *num_clients = rep.num_clients; + result = 1; + } else { +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + } + +@@ -183,7 +195,7 @@ Status XResQueryClientResources ( + *num_types = rep.num_types; + result = 1; + } else { +- _XEatData(dpy, rep.length << 2); ++ _XEatDataWords(dpy, rep.length); + } + } + +-- +1.8.2.3 + |