upstream/oracle/x-cons/x-s11-update-clone: open-src/lib/libX11/CVE-2013-1997.patch@c05f6f3f5f1a (annotated)

1345 d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	1	From b68b8dcddbb517cee2fe370ffd3bacae99c75299 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	2	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	3	Date: Fri, 1 Mar 2013 19:30:09 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	4	Subject: [PATCH:libX11 08/38] unvalidated lengths in XAllocColorCells()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	5	[CVE-2013-1997 1/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	6
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	7	If a broken server returned larger than requested values for nPixels or
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	8	nMasks, XAllocColorCells would happily overflow the buffers provided by
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	9	the caller to write the results into.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	10
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	11	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	12	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	13	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	14	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	15	src/AllCells.c \| 9 +++++++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	16	1 file changed, 7 insertions(+), 2 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	17
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	18	diff --git a/src/AllCells.c b/src/AllCells.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	19	index ddd9c22..6e97e11 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	20	--- a/src/AllCells.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	21	+++ b/src/AllCells.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	22	@@ -53,8 +53,13 @@ Status XAllocColorCells(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	23	status = _XReply(dpy, (xReply *)&rep, 0, xFalse);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	24
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	25	if (status) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	26	- _XRead32 (dpy, (long ) pixels, 4L (long) (rep.nPixels));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	27	- _XRead32 (dpy, (long ) masks, 4L (long) (rep.nMasks));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	28	+ if ((rep.nPixels > ncolors) \|\| (rep.nMasks > nplanes)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	29	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	30	+ status = 0; /* Failure */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	31	+ } else {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	32	+ _XRead32 (dpy, (long ) pixels, 4L (long) (rep.nPixels));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	33	+ _XRead32 (dpy, (long ) masks, 4L (long) (rep.nMasks));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	34	+ }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	35	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	36
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	37	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	38	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	39	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	40
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	41	From 638d668a99734cf68bea1b799aece5706fb18b08 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	42	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	43	Date: Fri, 1 Mar 2013 22:49:01 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	44	Subject: [PATCH:libX11 09/38] unvalidated index in
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	45	_XkbReadGetDeviceInfoReply() [CVE-2013-1997
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	46	2/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	47
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	48	If the X server returns more buttons than are allocated in the XKB
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	49	device info structures, out of bounds writes could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	50
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	51	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	52	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	53	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	54	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	55	src/xkb/XKBExtDev.c \| 6 ++++++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	56	1 file changed, 6 insertions(+)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	57
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	58	diff --git a/src/xkb/XKBExtDev.c b/src/xkb/XKBExtDev.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	59	index 353e769..dd383bc 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	60	--- a/src/xkb/XKBExtDev.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	61	+++ b/src/xkb/XKBExtDev.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	62	@@ -181,6 +181,9 @@ int tmp;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	63	return tmp;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	64	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	65	if (rep->nBtnsWanted>0) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	66	+ if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	67	+ >= devi->num_btns)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	68	+ goto BAILOUT;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	69	act= &devi->btn_acts[rep->firstBtnWanted];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	70	bzero((char )act,(rep->nBtnsWantedsizeof(XkbAction)));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	71	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	72	@@ -190,6 +193,9 @@ int tmp;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	73	goto BAILOUT;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	74	if (rep->nBtnsRtrn>0) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	75	int size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	76	+ if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	77	+ >= devi->num_btns)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	78	+ goto BAILOUT;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	79	act= &devi->btn_acts[rep->firstBtnRtrn];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	80	size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	81	if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	82	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	83	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	84
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	85	From 1807e71a8a30aa2cff099708c508a25a9b6ba9da Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	86	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	87	Date: Sat, 2 Mar 2013 09:12:47 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	88	Subject: [PATCH:libX11 10/38] unvalidated indexes in _XkbReadGeomShapes()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	89	[CVE-2013-1997 3/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	90
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	91	If the X server returns shape indexes outside the range of the number
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	92	of shapes it told us to allocate, out of bounds memory access could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	93
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	94	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	95	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	96	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	97	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	98	src/xkb/XKBGeom.c \| 12 ++++++++----
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	99	1 file changed, 8 insertions(+), 4 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	100
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	101	diff --git a/src/xkb/XKBGeom.c b/src/xkb/XKBGeom.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	102	index 7594a3d..4ad21f8 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	103	--- a/src/xkb/XKBGeom.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	104	+++ b/src/xkb/XKBGeom.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	105	@@ -364,12 +364,16 @@ Status rtrn;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	106	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	107	ol->num_points= olWire->nPoints;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	108	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	109	- if (shapeWire->primaryNdx!=XkbNoShape)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	110	+ if ((shapeWire->primaryNdx!=XkbNoShape) &&
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	111	+ (shapeWire->primaryNdx < shapeWire->nOutlines))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	112	shape->primary= &shape->outlines[shapeWire->primaryNdx];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	113	- else shape->primary= NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	114	- if (shapeWire->approxNdx!=XkbNoShape)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	115	+ else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	116	+ shape->primary= NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	117	+ if ((shapeWire->approxNdx!=XkbNoShape) &&
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	118	+ (shapeWire->approxNdx < shapeWire->nOutlines))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	119	shape->approx= &shape->outlines[shapeWire->approxNdx];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	120	- else shape->approx= NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	121	+ else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	122	+ shape->approx= NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	123	XkbComputeShapeBounds(shape);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	124	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	125	return Success;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	126	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	127	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	128
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	129	From 8215ec8bcad57c9707353626d782ff66ebe13b06 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	130	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	131	Date: Sat, 2 Mar 2013 09:18:26 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	132	Subject: [PATCH:libX11 11/38] unvalidated indexes in
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	133	_XkbReadGetGeometryReply() [CVE-2013-1997
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	134	4/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	135
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	136	If the X server returns color indexes outside the range of the number of
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	137	colors it told us to allocate, out of bounds memory access could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	138
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	139	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	140	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	141	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	142	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	143	src/xkb/XKBGeom.c \| 3 +++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	144	1 file changed, 3 insertions(+)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	145
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	146	diff --git a/src/xkb/XKBGeom.c b/src/xkb/XKBGeom.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	147	index 4ad21f8..7140a72 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	148	--- a/src/xkb/XKBGeom.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	149	+++ b/src/xkb/XKBGeom.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	150	@@ -619,6 +619,9 @@ XkbGeometryPtr geom;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	151	if (status==Success)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	152	status= _XkbReadGeomKeyAliases(&buf,geom,rep);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	153	left= _XkbFreeReadBuffer(&buf);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	154	+ if ((rep->baseColorNdx > geom->num_colors) \|\|
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	155	+ (rep->labelColorNdx > geom->num_colors))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	156	+ status = BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	157	if ((status!=Success) \|\| left \|\| buf.error) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	158	if (status==Success)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	159	status= BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	160	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	161	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	162
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	163	From 77009b1f37ec583ef5ff17834c8a5cf2413f9ba6 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	164	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	165	Date: Sat, 2 Mar 2013 09:28:33 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	166	Subject: [PATCH:libX11 12/38] unvalidated index in _XkbReadKeySyms()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	167	[CVE-2013-1997 5/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	168
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	169	If the X server returns keymap indexes outside the range of the number of
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	170	keys it told us to allocate, out of bounds memory access could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	171
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	172	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	173	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	174	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	175	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	176	src/xkb/XKBGetMap.c \| 7 ++++++-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	177	1 file changed, 6 insertions(+), 1 deletion(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	178
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	179	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	180	index 30fb629..4a428d3 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	181	--- a/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	182	+++ b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	183	@@ -151,9 +151,12 @@ XkbClientMapPtr map;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	184	map= xkb->map;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	185	if (map->key_sym_map==NULL) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	186	register int offset;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	187	+ int size = xkb->max_key_code + 1;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	188	XkbSymMapPtr oldMap;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	189	xkbSymMapWireDesc *newMap;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	190	- map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	191	+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	192	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	193	+ map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	194	if (map->key_sym_map==NULL)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	195	return BadAlloc;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	196	if (map->syms==NULL) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	197	@@ -209,6 +212,8 @@ XkbClientMapPtr map;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	198	KeySym * newSyms;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	199	int tmp;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	200
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	201	+ if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	202	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	203	oldMap = &map->key_sym_map[rep->firstKeySym];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	204	for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	205	newMap= (xkbSymMapWireDesc *)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	206	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	207	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	208
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	209	From ffc188aa4cbc0b0d0c612b62e45c29d485f86402 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	210	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	211	Date: Sat, 2 Mar 2013 09:40:22 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	212	Subject: [PATCH:libX11 13/38] unvalidated index in _XkbReadKeyActions()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	213	[CVE-2013-1997 6/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	214
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	215	If the X server returns key action indexes outside the range of the number
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	216	of keys it told us to allocate, out of bounds memory access could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	217
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	218	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	219	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	220	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	221	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	222	src/xkb/XKBGetMap.c \| 4 ++++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	223	1 file changed, 4 insertions(+)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	224
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	225	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	226	index 4a428d3..86ecf9d 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	227	--- a/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	228	+++ b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	229	@@ -269,6 +269,10 @@ Status ret = Success;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	230	symMap = &info->map->key_sym_map[rep->firstKeyAct];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	231	for (i=0;i<(int)rep->nKeyActs;i++,symMap++) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	232	if (numDesc[i]==0) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	233	+ if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	234	+ ret = BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	235	+ goto done;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	236	+ }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	237	info->server->key_acts[i+rep->firstKeyAct]= 0;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	238	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	239	else {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	240	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	241	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	242
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	243	From 9f3d45b62875e7861deeecf849f90520395ee655 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	244	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	245	Date: Sat, 2 Mar 2013 10:39:21 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	246	Subject: [PATCH:libX11 14/38] unvalidated index in _XkbReadKeyBehaviors()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	247	[CVE-2013-1997 7/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	248
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	249	If the X server returns key behavior indexes outside the range of the number
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	250	of keys it told us to allocate, out of bounds memory writes could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	251
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	252	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	253	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	254	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	255	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	256	src/xkb/XKBGetMap.c \| 6 ++++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	257	1 file changed, 4 insertions(+), 2 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	258
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	259	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	260	index 86ecf9d..af93a5c 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	261	--- a/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	262	+++ b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	263	@@ -305,8 +305,10 @@ register int i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	264	xkbBehaviorWireDesc *wire;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	265
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	266	if ( rep->totalKeyBehaviors>0 ) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	267	+ int size = xkb->max_key_code + 1;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	268	+ if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	269	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	270	if ( xkb->server->behaviors == NULL ) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	271	- int size = xkb->max_key_code+1;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	272	xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	273	if (xkb->server->behaviors==NULL)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	274	return BadAlloc;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	275	@@ -318,7 +320,7 @@ xkbBehaviorWireDesc *wire;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	276	for (i=0;i<rep->totalKeyBehaviors;i++) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	277	wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	278	SIZEOF(xkbBehaviorWireDesc));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	279	- if (wire==NULL)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	280	+ if (wire==NULL \|\| wire->key >= size)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	281	return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	282	xkb->server->behaviors[wire->key].type= wire->type;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	283	xkb->server->behaviors[wire->key].data= wire->data;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	284	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	285	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	286
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	287	From b837305efa896d4bab4932faffb30d53cec546a3 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	288	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	289	Date: Sat, 2 Mar 2013 10:51:51 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	290	Subject: [PATCH:libX11 15/38] unvalidated index in _XkbReadModifierMap()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	291	[CVE-2013-1997 8/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	292
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	293	If the X server returns modifier map indexes outside the range of the number
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	294	of keys it told us to allocate, out of bounds memory writes could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	295
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	296	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	297	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	298	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	299	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	300	src/xkb/XKBGetMap.c \| 5 +++++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	301	1 file changed, 5 insertions(+)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	302
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	303	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	304	index af93a5c..a68455b 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	305	--- a/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	306	+++ b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	307	@@ -390,6 +390,9 @@ register int i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	308	unsigned char *wire;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	309
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	310	if ( rep->totalModMapKeys>0 ) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	311	+ if ( ((int)rep->firstModMapKey + rep->nModMapKeys) >
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	312	+ (xkb->max_key_code + 1))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	313	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	314	if ((xkb->map->modmap==NULL)&&
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	315	(XkbAllocClientMap(xkb,XkbModifierMapMask,0)!=Success)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	316	return BadAlloc;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	317	@@ -402,6 +405,8 @@ unsigned char *wire;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	318	if (!wire)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	319	return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	320	for (i=0;i<rep->totalModMapKeys;i++,wire+=2) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	321	+ if (wire[0] > xkb->max_key_code \|\| wire[1] > xkb->max_key_code)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	322	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	323	xkb->map->modmap[wire[0]]= wire[1];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	324	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	325	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	326	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	327	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	328
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	329	From d71c0d7d138f8d15e7f4cfe747329405f0644423 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	330	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	331	Date: Sat, 2 Mar 2013 11:04:44 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	332	Subject: [PATCH:libX11 16/38] unvalidated index in
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	333	_XkbReadExplicitComponents() [CVE-2013-1997
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	334	9/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	335
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	336	If the X server returns key indexes outside the range of the number of
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	337	keys it told us to allocate, out of bounds memory writes could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	338
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	339	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	340	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	341	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	342	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	343	src/xkb/XKBGetMap.c \| 6 +++++-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	344	1 file changed, 5 insertions(+), 1 deletion(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	345
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	346	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	347	index a68455b..ea77f2a 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	348	--- a/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	349	+++ b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	350	@@ -362,8 +362,10 @@ register int i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	351	unsigned char *wire;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	352
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	353	if ( rep->totalKeyExplicit>0 ) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	354	+ int size = xkb->max_key_code + 1;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	355	+ if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	356	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	357	if ( xkb->server->explicit == NULL ) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	358	- int size = xkb->max_key_code+1;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	359	xkb->server->explicit = _XkbTypedCalloc(size,unsigned char);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	360	if (xkb->server->explicit==NULL)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	361	return BadAlloc;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	362	@@ -377,6 +379,8 @@ unsigned char *wire;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	363	if (!wire)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	364	return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	365	for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	366	+ if (wire[0] > xkb->max_key_code \|\| wire[1] > xkb->max_key_code)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	367	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	368	xkb->server->explicit[wire[0]]= wire[1];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	369	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	370	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	371	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	372	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	373
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	374	From fb927b6dbc0172c2ca63b5ad243bfb98bb61fc4c Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	375	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	376	Date: Sat, 2 Mar 2013 11:01:04 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	377	Subject: [PATCH:libX11 17/38] unvalidated index in _XkbReadVirtualModMap()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	378	[CVE-2013-1997 10/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	379
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	380	If the X server returns modifier map indexes outside the range of the number
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	381	of keys it told us to allocate, out of bounds memory writes could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	382
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	383	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	384	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	385	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	386	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	387	src/xkb/XKBGetMap.c \| 3 +++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	388	1 file changed, 3 insertions(+)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	389
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	390	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	391	index ea77f2a..5551298 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	392	--- a/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	393	+++ b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	394	@@ -425,6 +425,9 @@ xkbVModMapWireDesc * wire;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	395	XkbServerMapPtr srv;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	396
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	397	if ( rep->totalVModMapKeys>0 ) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	398	+ if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	399	+ > xkb->max_key_code)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	400	+ return BadLength;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	401	if (((xkb->server==NULL)\|\|(xkb->server->vmodmap==NULL))&&
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	402	(XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	403	return BadAlloc;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	404	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	405	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	406
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	407	From f06f3cdc343fd6d42021dba055f080b617432301 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	408	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	409	Date: Sat, 2 Mar 2013 11:11:08 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	410	Subject: [PATCH:libX11 18/38] unvalidated index/length in
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	411	_XkbReadGetNamesReply() [CVE-2013-1997 11/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	412
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	413	If the X server returns key name indexes outside the range of the number
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	414	of keys it told us to allocate, out of bounds memory writes could occur.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	415
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	416	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	417	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	418	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	419	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	420	src/xkb/XKBNames.c \| 2 ++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	421	1 file changed, 2 insertions(+)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	422
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	423	diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	424	index 0276c05..0f1e48e 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	425	--- a/src/xkb/XKBNames.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	426	+++ b/src/xkb/XKBNames.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	427	@@ -180,6 +180,8 @@ _XkbReadGetNamesReply( Display * dpy,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	428	nKeys= xkb->max_key_code+1;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	429	names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	430	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	431	+ else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	432	+ goto BAILOUT;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	433	if (names->keys!=NULL) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	434	if (!_XkbCopyFromReadBuffer(&buf,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	435	(char *)&names->keys[rep->firstKey],
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	436	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	437	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	438
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	439	From d851a64b0704f79550a9507a34d057c7415f6516 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	440	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	441	Date: Sat, 2 Mar 2013 11:25:25 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	442	Subject: [PATCH:libX11 19/38] unvalidated length in _XimXGetReadData()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	443	[CVE-2013-1997 12/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	444
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	445	Check the provided buffer size against the amount of data we're going to
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	446	write into it, not against the reported length from the ClientMessage.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	447
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	448	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	449	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	450	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	451	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	452	modules/im/ximcp/imTrX.c \| 2 +-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	453	1 file changed, 1 insertion(+), 1 deletion(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	454
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	455	diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	456	index 1412d70..76ff20e 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	457	--- a/modules/im/ximcp/imTrX.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	458	+++ b/modules/im/ximcp/imTrX.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	459	@@ -372,7 +372,7 @@ _XimXGetReadData(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	460	XFree(prop_ret);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	461	return False;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	462	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	463	- if (buf_len >= length) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	464	+ if (buf_len >= (int)nitems) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	465	(void)memcpy(buf, prop_ret, (int)nitems);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	466	*ret_len = (int)nitems;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	467	if (bytes_after_ret > 0) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	468	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	469	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	470
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	471	From 59ba5744cdb8831e53f6340279d9841a037c48bc Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	472	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	473	Date: Sat, 2 Mar 2013 15:08:21 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	474	Subject: [PATCH:libX11 30/38] Avoid overflows in XListFonts() [CVE-2013-1997
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	475	13/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	476
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	477	Ensure that when breaking the returned list into individual strings,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	478	we don't walk past the end of allocated memory to write the '\0' bytes
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	479
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	480	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	481	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	482	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	483	src/FontNames.c \| 35 ++++++++++++++++++++++-------------
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	484	1 file changed, 22 insertions(+), 13 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	485
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	486	diff --git a/src/FontNames.c b/src/FontNames.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	487	index 3018cf2..b5bc7b4 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	488	--- a/src/FontNames.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	489	+++ b/src/FontNames.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	490	@@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	491	#include <config.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	492	#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	493	#include "Xlibint.h"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	494	+#include <limits.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	495
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	496	char **
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	497	XListFonts(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	498	@@ -40,11 +41,13 @@ int actualCount) / RETURN */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	499	register long nbytes;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	500	register unsigned i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	501	register int length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	502	- char **flist;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	503	- char *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	504	+ char **flist = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	505	+ char *ch = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	506	+ char *chend;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	507	+ int count = 0;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	508	xListFontsReply rep;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	509	register xListFontsReq *req;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	510	- register long rlen;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	511	+ unsigned long rlen;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	512
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	513	LockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	514	GetReq(ListFonts, req);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	515	@@ -62,15 +65,17 @@ int actualCount) / RETURN */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	516	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	517
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	518	if (rep.nFonts) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	519	- flist = (char *)Xmalloc ((unsigned)rep.nFonts sizeof(char *));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	520	- rlen = rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	521	- ch = (char *) Xmalloc((unsigned) (rlen + 1));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	522	+ flist = Xmalloc (rep.nFonts * sizeof(char *));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	523	+ if (rep.length < (LONG_MAX >> 2)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	524	+ rlen = rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	525	+ ch = Xmalloc(rlen + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	526	/* +1 to leave room for last null-terminator */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	527	+ }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	528
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	529	if ((! flist) \|\| (! ch)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	530	if (flist) Xfree((char *) flist);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	531	if (ch) Xfree(ch);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	532	- _XEatData(dpy, (unsigned long) rlen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	533	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	534	*actualCount = 0;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	535	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	536	SyncHandle();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	537	@@ -81,17 +86,21 @@ int actualCount) / RETURN */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	538	/*
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	539	* unpack into null terminated strings.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	540	*/
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	541	+ chend = ch + (rlen + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	542	length = (unsigned char )ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	543	ch = 1; / make sure it is non-zero for XFreeFontNames */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	544	for (i = 0; i < rep.nFonts; i++) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	545	- flist[i] = ch + 1; /* skip over length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	546	- ch += length + 1; /* find next length ... */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	547	- length = (unsigned char )ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	548	- ch = '\0'; / and replace with null-termination */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	549	+ if (ch + length < chend) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	550	+ flist[i] = ch + 1; /* skip over length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	551	+ ch += length + 1; /* find next length ... */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	552	+ length = (unsigned char )ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	553	+ ch = '\0'; / and replace with null-termination */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	554	+ count++;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	555	+ } else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	556	+ flist[i] = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	557	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	558	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	559	- else flist = (char **) NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	560	- *actualCount = rep.nFonts;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	561	+ *actualCount = count;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	562	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	563	SyncHandle();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	564	return (flist);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	565	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	566	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	567
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	568	From b5686ac6ad36e7742f8bba5b906bf2c57ba18955 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	569	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	570	Date: Sat, 2 Mar 2013 15:08:21 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	571	Subject: [PATCH:libX11 31/38] Avoid overflows in XGetFontPath()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	572	[CVE-2013-1997 14/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	573
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	574	Ensure that when breaking the returned list into individual strings,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	575	we don't walk past the end of allocated memory to write the '\0' bytes
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	576
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	577	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	578	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	579	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	580	src/GetFPath.c \| 36 ++++++++++++++++++++++--------------
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	581	1 file changed, 22 insertions(+), 14 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	582
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	583	diff --git a/src/GetFPath.c b/src/GetFPath.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	584	index 7d497c9..abd4a5d 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	585	--- a/src/GetFPath.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	586	+++ b/src/GetFPath.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	587	@@ -28,15 +28,18 @@ in this Software without prior written authorization from The Open Group.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	588	#include <config.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	589	#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	590	#include "Xlibint.h"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	591	+#include <limits.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	592
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	593	char **XGetFontPath(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	594	register Display *dpy,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	595	int npaths) / RETURN */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	596	{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	597	xGetFontPathReply rep;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	598	- register long nbytes;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	599	- char **flist;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	600	- char *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	601	+ unsigned long nbytes;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	602	+ char **flist = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	603	+ char *ch = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	604	+ char *chend;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	605	+ int count = 0;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	606	register unsigned i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	607	register int length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	608	register xReq *req;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	609	@@ -46,16 +49,17 @@ char **XGetFontPath(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	610	(void) _XReply (dpy, (xReply *) &rep, 0, xFalse);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	611
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	612	if (rep.nPaths) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	613	- flist = (char **)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	614	- Xmalloc((unsigned) rep.nPaths * sizeof (char *));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	615	- nbytes = (long)rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	616	- ch = (char *) Xmalloc ((unsigned) (nbytes + 1));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	617	+ flist = Xmalloc(rep.nPaths * sizeof (char *));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	618	+ if (rep.length < (LONG_MAX >> 2)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	619	+ nbytes = (unsigned long) rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	620	+ ch = Xmalloc (nbytes + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	621	/* +1 to leave room for last null-terminator */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	622	+ }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	623
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	624	if ((! flist) \|\| (! ch)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	625	if (flist) Xfree((char *) flist);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	626	if (ch) Xfree(ch);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	627	- _XEatData(dpy, (unsigned long) nbytes);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	628	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	629	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	630	SyncHandle();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	631	return (char **) NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	632	@@ -65,16 +69,20 @@ char **XGetFontPath(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	633	/*
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	634	* unpack into null terminated strings.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	635	*/
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	636	+ chend = ch + (nbytes + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	637	length = *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	638	for (i = 0; i < rep.nPaths; i++) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	639	- flist[i] = ch+1; /* skip over length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	640	- ch += length + 1; /* find next length ... */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	641	- length = *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	642	- ch = '\0'; / and replace with null-termination */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	643	+ if (ch + length < chend) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	644	+ flist[i] = ch+1; /* skip over length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	645	+ ch += length + 1; /* find next length ... */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	646	+ length = *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	647	+ ch = '\0'; / and replace with null-termination */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	648	+ count++;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	649	+ } else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	650	+ flist[i] = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	651	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	652	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	653	- else flist = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	654	- *npaths = rep.nPaths;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	655	+ *npaths = count;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	656	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	657	SyncHandle();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	658	return (flist);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	659	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	660	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	661
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	662	From 910875c83c9e6741aba258f44f94b3d69f804d00 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	663	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	664	Date: Sat, 2 Mar 2013 15:08:21 -0800
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	665	Subject: [PATCH:libX11 32/38] Avoid overflows in XListExtensions()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	666	[CVE-2013-1997 15/15]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	667
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	668	Ensure that when breaking the returned list into individual strings,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	669	we don't walk past the end of allocated memory to write the '\0' bytes
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	670
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	671	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	672	Reviewed-by: Matthieu Herrb <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	673	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	674	src/ListExt.c \| 36 ++++++++++++++++++++++--------------
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	675	1 file changed, 22 insertions(+), 14 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	676
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	677	diff --git a/src/ListExt.c b/src/ListExt.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	678	index 16b522e..e925c47 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	679	--- a/src/ListExt.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	680	+++ b/src/ListExt.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	681	@@ -28,18 +28,21 @@ in this Software without prior written authorization from The Open Group.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	682	#include <config.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	683	#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	684	#include "Xlibint.h"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	685	+#include <limits.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	686
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	687	char **XListExtensions(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	688	register Display *dpy,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	689	int nextensions) / RETURN */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	690	{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	691	xListExtensionsReply rep;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	692	- char **list;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	693	- char *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	694	+ char **list = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	695	+ char *ch = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	696	+ char *chend;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	697	+ int count = 0;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	698	register unsigned i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	699	register int length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	700	register xReq *req;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	701	- register long rlen;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	702	+ unsigned long rlen;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	703
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	704	LockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	705	GetEmptyReq (ListExtensions, req);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	706	@@ -51,16 +54,17 @@ char **XListExtensions(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	707	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	708
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	709	if (rep.nExtensions) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	710	- list = (char **) Xmalloc (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	711	- (unsigned)(rep.nExtensions * sizeof (char *)));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	712	- rlen = rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	713	- ch = (char *) Xmalloc ((unsigned) rlen + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	714	+ list = Xmalloc (rep.nExtensions * sizeof (char *));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	715	+ if (rep.length < (LONG_MAX >> 2)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	716	+ rlen = rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	717	+ ch = Xmalloc (rlen + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	718	/* +1 to leave room for last null-terminator */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	719	+ }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	720
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	721	if ((!list) \|\| (!ch)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	722	if (list) Xfree((char *) list);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	723	if (ch) Xfree((char *) ch);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	724	- _XEatData(dpy, (unsigned long) rlen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	725	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	726	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	727	SyncHandle();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	728	return (char **) NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	729	@@ -70,17 +74,21 @@ char **XListExtensions(
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	730	/*
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	731	* unpack into null terminated strings.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	732	*/
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	733	+ chend = ch + (rlen + 1);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	734	length = *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	735	for (i = 0; i < rep.nExtensions; i++) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	736	- list[i] = ch+1; /* skip over length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	737	- ch += length + 1; /* find next length ... */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	738	- length = *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	739	- ch = '\0'; / and replace with null-termination */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	740	+ if (ch + length < chend) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	741	+ list[i] = ch+1; /* skip over length */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	742	+ ch += length + 1; /* find next length ... */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	743	+ length = *ch;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	744	+ ch = '\0'; / and replace with null-termination */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	745	+ count++;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	746	+ } else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	747	+ list[i] = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	748	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	749	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	750	- else list = (char **) NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	751
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	752	- *nextensions = rep.nExtensions;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	753	+ *nextensions = count;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	754	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	755	SyncHandle();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	756	return (list);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	757	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	758	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	759
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	760	From 134944bfb0963151e4e65b9b17c5431a41acd28e Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	761	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	762	Date: Sun, 31 Mar 2013 12:22:35 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	763	Subject: [PATCH:libX11 37/38] _XkbReadGetMapReply: reject maxKeyCodes smaller
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	764	than the minKeyCode
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	765
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	766	Various other bounds checks in the code assume this is true, so
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	767	enforce it when we first get the data from the X server.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	768
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	769	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	770	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	771	src/xkb/XKBGetMap.c \| 2 ++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	772	1 file changed, 2 insertions(+)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	773
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	774	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	775	index d4cc199..862807a 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	776	--- a/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	777	+++ b/src/xkb/XKBGetMap.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	778	@@ -482,6 +482,8 @@ unsigned mask;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	779
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	780	if ( xkb->device_spec == XkbUseCoreKbd )
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	781	xkb->device_spec= rep->deviceID;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	782	+ if ( rep->maxKeyCode < rep->minKeyCode )
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	783	+ return BadImplementation;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	784	xkb->min_key_code = rep->minKeyCode;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	785	xkb->max_key_code = rep->maxKeyCode;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	786
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	787	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	788	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	789
1348 c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	790	From a3bdd2b090915fe0163b062f0e6576fe05dd332e Mon Sep 17 00:00:00 2001
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	791	From: Julien Cristau <[email protected]>
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	792	Date: Thu, 23 May 2013 20:39:46 +0200
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	793	Subject: [PATCH:libX11] xkb: fix off-by-one in _XkbReadGetNamesReply and
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	794	_XkbReadVirtualModMap
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	795
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	796	The size of the arrays is max_key_code + 1. This makes these functions
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	797	consistent with the other checks added for CVE-2013-1997.
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	798
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	799	Also check the XkbGetNames reply when names->keys was just allocated.
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	800
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	801	Signed-off-by: Julien Cristau <[email protected]>
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	802	Tested-by: Colin Walters <[email protected]>
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	803	Reviewed-by: Alan Coopersmith <[email protected]>
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	804	---
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	805	src/xkb/XKBGetMap.c \| 2 +-
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	806	src/xkb/XKBNames.c \| 2 +-
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	807	2 files changed, 2 insertions(+), 2 deletions(-)
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	808
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	809	diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	810	index 0875dfd..c73e655 100644
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	811	--- a/src/xkb/XKBGetMap.c
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	812	+++ b/src/xkb/XKBGetMap.c
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	813	@@ -426,7 +426,7 @@ XkbServerMapPtr srv;
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	814
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	815	if ( rep->totalVModMapKeys>0 ) {
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	816	if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	817	- > xkb->max_key_code)
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	818	+ > xkb->max_key_code + 1)
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	819	return BadLength;
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	820	if (((xkb->server==NULL)\|\|(xkb->server->vmodmap==NULL))&&
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	821	(XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	822	diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	823	index 0f1e48e..3a8860b 100644
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	824	--- a/src/xkb/XKBNames.c
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	825	+++ b/src/xkb/XKBNames.c
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	826	@@ -180,7 +180,7 @@ _XkbReadGetNamesReply( Display * dpy,
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	827	nKeys= xkb->max_key_code+1;
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	828	names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	829	}
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	830	- else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	831	+ if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	832	goto BAILOUT;
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	833	if (names->keys!=NULL) {
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	834	if (!_XkbCopyFromReadBuffer(&buf,
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	835	--
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	836	1.7.9.2
c05f6f3f5f1a 16862421 setxkbmap does not set any layout Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: 1345 diff changeset	837

author	Alan Coopersmith <Alan.Coopersmith@Oracle.COM>
	Fri, 24 May 2013 11:40:22 -0700
changeset 1348	c05f6f3f5f1a
parent 1345	d5dacbb8de2b
permissions	-rw-r--r--