diff options
Diffstat (limited to 'main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch')
| -rw-r--r-- | main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch new file mode 100644 index 0000000000..71dca30fda --- /dev/null +++ b/main/libxxf86vm/0007-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch @@ -0,0 +1,62 @@ +From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 14:33:32 -0700 +Subject: [PATCH 7/8] memory corruption in XF86VidModeGetGammaRamp() + [CVE-2013-2001] + +We trusted the server not to return more data than the client said it had +allocated room for, and would overflow the provided buffers if it did. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86VMode.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index bd54937..a32564e 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -1110,6 +1110,7 @@ XF86VidModeGetGammaRamp ( + XExtDisplayInfo *info = find_display (dpy); + xXF86VidModeGetGammaRampReq *req; + xXF86VidModeGetGammaRampReply rep; ++ Bool result = True; + + XF86VidModeCheckExtension (dpy, info, False); + +@@ -1120,19 +1121,23 @@ XF86VidModeGetGammaRamp ( + req->screen = screen; + req->size = size; + if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) { +- UnlockDisplay (dpy); +- SyncHandle (); +- return False; ++ result = False; + } +- if(rep.size) { +- _XRead(dpy, (char*)red, rep.size << 1); +- _XRead(dpy, (char*)green, rep.size << 1); +- _XRead(dpy, (char*)blue, rep.size << 1); ++ else if (rep.size) { ++ if (rep.size <= size) { ++ _XRead(dpy, (char*)red, rep.size << 1); ++ _XRead(dpy, (char*)green, rep.size << 1); ++ _XRead(dpy, (char*)blue, rep.size << 1); ++ } ++ else { ++ _XEatDataWords(dpy, rep.length); ++ result = False; ++ } + } + + UnlockDisplay(dpy); + SyncHandle(); +- return True; ++ return result; + } + + Bool XF86VidModeGetGammaRampSize( +-- +1.8.2.3 + |