diff options
Diffstat (limited to 'main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch')
| -rw-r--r-- | main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch b/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch new file mode 100644 index 0000000000..d974de57af --- /dev/null +++ b/main/libxext/0002-integer-overflow-in-XcupGetReservedColormapEntries-C.patch @@ -0,0 +1,60 @@ +From d05f27a6f74cb419ad5a437f2e4690b17e7faee5 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 9 Mar 2013 14:40:33 -0800 +Subject: [PATCH 2/7] integer overflow in XcupGetReservedColormapEntries() + [CVE-2013-1982 1/6] + +If the computed number of entries is large enough that it overflows when +multiplied by the size of a xColorItem struct, or is treated as negative +when compared to the size of the stack allocated buffer, then memory +corruption can occur when more bytes are read from the X server than the +size of the buffer we allocated to hold them. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/Xcup.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/src/Xcup.c b/src/Xcup.c +index 1f1d625..670f356 100644 +--- a/src/Xcup.c ++++ b/src/Xcup.c +@@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group. + #include <X11/extensions/cupproto.h> + #include <X11/extensions/Xext.h> + #include <X11/extensions/extutil.h> ++#include <limits.h> + #include "eat.h" + + static XExtensionInfo _xcup_info_data; +@@ -134,15 +135,19 @@ XcupGetReservedColormapEntries( + req->xcupReqType = X_XcupGetReservedColormapEntries; + req->screen = screen; + if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { +- long nbytes; ++ unsigned long nbytes; + xColorItem* rbufp; +- int nentries = rep.length / 3; ++ unsigned int nentries = rep.length / 3; + +- nbytes = nentries * SIZEOF (xColorItem); +- if (nentries > TYP_RESERVED_ENTRIES) +- rbufp = (xColorItem*) Xmalloc (nbytes); +- else +- rbufp = rbuf; ++ if (nentries < (INT_MAX / SIZEOF (xColorItem))) { ++ nbytes = nentries * SIZEOF (xColorItem); ++ ++ if (nentries > TYP_RESERVED_ENTRIES) ++ rbufp = Xmalloc (nbytes); ++ else ++ rbufp = rbuf; ++ } else ++ rbufp = NULL; + + if (rbufp == NULL) { + _XEatDataWords(dpy, rep.length); +-- +1.8.2.3 + |