aboutsummaryrefslogtreecommitdiffstats
path: root/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
diff options
context:
space:
mode:
Diffstat (limited to 'main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch')
-rw-r--r--main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch62
1 files changed, 62 insertions, 0 deletions
diff --git a/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
new file mode 100644
index 0000000000..71dca30fda
--- /dev/null
+++ b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch
@@ -0,0 +1,62 @@
+From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 14:33:32 -0700
+Subject: [PATCH 7/8] memory corruption in XF86VidModeGetGammaRamp()
+ [CVE-2013-2001]
+
+We trusted the server not to return more data than the client said it had
+allocated room for, and would overflow the provided buffers if it did.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86VMode.c | 21 +++++++++++++--------
+ 1 file changed, 13 insertions(+), 8 deletions(-)
+
+diff --git a/src/XF86VMode.c b/src/XF86VMode.c
+index bd54937..a32564e 100644
+--- a/src/XF86VMode.c
++++ b/src/XF86VMode.c
+@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp (
+ XExtDisplayInfo *info = find_display (dpy);
+ xXF86VidModeGetGammaRampReq *req;
+ xXF86VidModeGetGammaRampReply rep;
++ Bool result = True;
+
+ XF86VidModeCheckExtension (dpy, info, False);
+
+@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp (
+ req->screen = screen;
+ req->size = size;
+ if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
+- UnlockDisplay (dpy);
+- SyncHandle ();
+- return False;
++ result = False;
+ }
+- if(rep.size) {
+- _XRead(dpy, (char*)red, rep.size << 1);
+- _XRead(dpy, (char*)green, rep.size << 1);
+- _XRead(dpy, (char*)blue, rep.size << 1);
++ else if (rep.size) {
++ if (rep.size <= size) {
++ _XRead(dpy, (char*)red, rep.size << 1);
++ _XRead(dpy, (char*)green, rep.size << 1);
++ _XRead(dpy, (char*)blue, rep.size << 1);
++ }
++ else {
++ _XEatDataWords(dpy, rep.length);
++ result = False;
++ }
+ }
+
+ UnlockDisplay(dpy);
+ SyncHandle();
+- return True;
++ return result;
+ }
+
+ Bool XF86VidModeGetGammaRampSize(
+--
+1.8.2.3
+