diff options
Diffstat (limited to 'main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch')
-rw-r--r-- | main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch new file mode 100644 index 0000000000..f879c5b116 --- /dev/null +++ b/main/libxxf86vm/0008-avoid-integer-overflow-in-XF86VidModeGetModeLine.patch @@ -0,0 +1,34 @@ +From 4c4123441e40da97acd10f58911193ad3dcef5cd Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Sat, 13 Apr 2013 14:43:48 -0700 +Subject: [PATCH 8/8] avoid integer overflow in XF86VidModeGetModeLine() + +rep.privsize is a CARD32 and needs to be bounds checked before multiplying +by sizeof(INT32) to come up with the total size to allocate & read to avoid +integer overflow, though it would not result in buffer overflow as the same +calculation was used for both allocation & reading from the network. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + src/XF86VMode.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/XF86VMode.c b/src/XF86VMode.c +index a32564e..fb94816 100644 +--- a/src/XF86VMode.c ++++ b/src/XF86VMode.c +@@ -271,7 +271,10 @@ XF86VidModeGetModeLine(Display* dpy, int screen, int* dotclock, + } + + if (modeline->privsize > 0) { +- modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); ++ if (modeline->privsize < (INT_MAX / sizeof(INT32))) ++ modeline->private = Xcalloc(modeline->privsize, sizeof(INT32)); ++ else ++ modeline->private = NULL; + if (modeline->private == NULL) { + _XEatDataWords(dpy, rep.length - + ((SIZEOF(xXF86VidModeGetModeLineReply) - SIZEOF(xReply)) >> 2)); +-- +1.8.2.3 + |