upstream/oracle/x-cons/x-s11-update-clone: open-src/lib/libXv/CVE-2013-1989.patch@d5dacbb8de2b (annotated)

1345 d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	1	From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	2	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	3	Date: Sat, 13 Apr 2013 00:28:34 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	4	Subject: [PATCH:libXv 1/5] Use _XEatDataWords to avoid overflow of rep.length
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	5	shifting
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	6
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	7	rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	8
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	9	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	10	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	11	configure.ac \| 6 ++++++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	12	src/Xv.c \| 22 +++++++++++++++++++---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	13	2 files changed, 25 insertions(+), 3 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	14
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	15	diff --git a/configure.ac b/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	16	index 5494b5d..6a335db 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	17	--- a/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	18	+++ b/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	19	@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	20	# Obtain compiler/linker options for depedencies
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	21	PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	22
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	23	+# Check for _XEatDataWords function that may be patched into older Xlib release
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	24	+SAVE_LIBS="$LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	25	+LIBS="$XV_LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	26	+AC_CHECK_FUNCS([_XEatDataWords])
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	27	+LIBS="$SAVE_LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	28	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	29	# Allow checking code with lint, sparse, etc.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	30	XORG_WITH_LINT
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	31	XORG_LINT_LIBRARY([Xv])
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	32	diff --git a/src/Xv.c b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	33	index b081e8a..5be1d95 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	34	--- a/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	35	+++ b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	36	@@ -49,11 +49,27 @@ SOFTWARE.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	37	**
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	38	*/
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	39
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	40	+#ifdef HAVE_CONFIG_H
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	41	+# include "config.h"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	42	+#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	43	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	44	#include <stdio.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	45	#include "Xvlibint.h"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	46	#include <X11/extensions/Xext.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	47	#include <X11/extensions/extutil.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	48	#include <X11/extensions/XShm.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	49	+#include <limits.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	50	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	51	+#ifndef HAVE__XEATDATAWORDS
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	52	+static inline void _XEatDataWords(Display *dpy, unsigned long n)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	53	+{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	54	+# ifndef LONG64
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	55	+ if (n >= (ULONG_MAX >> 2))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	56	+ _XIOError(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	57	+# endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	58	+ _XEatData (dpy, n << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	59	+}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	60	+#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	61
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	62	static XExtensionInfo _xv_info_data;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	63	static XExtensionInfo *xv_info = &_xv_info_data;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	64	@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display dpy, XvPortID port, int num)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	65	(*num)++;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	66	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	67	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	68	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	69	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	70	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	71
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	72	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	73	@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	74	(*num)++;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	75	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	76	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	77	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	78	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	79	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	80
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	81	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	82	@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	83	_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	84	_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	85	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	86	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	87	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	88
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	89	UnlockDisplay(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	90	SyncHandle();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	91	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	92	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	93
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	94	From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	95	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	96	Date: Sat, 13 Apr 2013 00:03:03 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	97	Subject: [PATCH:libXv 2/5] integer overflow in XvQueryPortAttributes()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	98	[CVE-2013-1989 1/3]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	99
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	100	The num_attributes & text_size members of the reply are both CARD32s
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	101	and need to be bounds checked before multiplying & adding them together
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	102	to come up with the total size to allocate, to avoid integer overflow
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	103	leading to underallocation and writing data from the network past the
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	104	end of the allocated buffer.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	105
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	106	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	107	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	108	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	109	src/Xv.c \| 10 ++++++++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	110	1 file changed, 8 insertions(+), 2 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	111
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	112	diff --git a/src/Xv.c b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	113	index 5be1d95..3cbad35 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	114	--- a/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	115	+++ b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	116	@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display dpy, XvPortID port, int num)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	117	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	118
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	119	if(rep.num_attributes) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	120	- int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	121	+ unsigned long size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	122	+ /* limit each part to no more than one half the max size */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	123	+ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	124	+ (rep.text_size < (INT_MAX / 2))) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	125	+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	126	+ ret = Xmalloc(size);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	127	+ }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	128
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	129	- if((ret = Xmalloc(size))) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	130	+ if (ret != NULL) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	131	char* marker = (char*)(&ret[rep.num_attributes]);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	132	xvAttributeInfo Info;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	133	int i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	134	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	135	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	136
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	137	From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	138	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	139	Date: Sat, 13 Apr 2013 00:16:14 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	140	Subject: [PATCH:libXv 3/5] buffer overflow in XvQueryPortAttributes()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	141	[CVE-2013-2066]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	142
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	143	Each attribute returned in the reply includes the number of bytes
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	144	to read for its marker. We had been always trusting it, and never
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	145	validating that it wouldn't cause us to write past the end of the
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	146	buffer we allocated based on the reported text_size.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	147
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	148	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	149	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	150	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	151	src/Xv.c \| 10 ++++++++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	152	1 file changed, 8 insertions(+), 2 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	153
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	154	diff --git a/src/Xv.c b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	155	index 3cbad35..f9813eb 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	156	--- a/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	157	+++ b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	158	@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display dpy, XvPortID port, int num)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	159	xvAttributeInfo Info;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	160	int i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	161
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	162	+ /* keep track of remaining room for text strings */
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	163	+ size = rep.text_size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	164	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	165	for(i = 0; i < rep.num_attributes; i++) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	166	_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	167	ret[i].flags = (int)Info.flags;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	168	ret[i].min_value = Info.min;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	169	ret[i].max_value = Info.max;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	170	ret[i].name = marker;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	171	- _XRead(dpy, marker, Info.size);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	172	- marker += Info.size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	173	+ if (Info.size <= size) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	174	+ _XRead(dpy, marker, Info.size);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	175	+ marker += Info.size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	176	+ size -= Info.size;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	177	+ }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	178	(*num)++;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	179	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	180	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	181	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	182	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	183
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	184	From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	185	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	186	Date: Sat, 13 Apr 2013 00:03:03 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	187	Subject: [PATCH:libXv 4/5] integer overflow in XvListImageFormats()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	188	[CVE-2013-1989 2/3]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	189
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	190	num_formats is a CARD32 and needs to be bounds checked before multiplying
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	191	by sizeof(XvImageFormatValues) to come up with the total size to allocate,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	192	to avoid integer overflow leading to underallocation and writing data from
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	193	the network past the end of the allocated buffer.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	194
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	195	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	196	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	197	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	198	src/Xv.c \| 5 +++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	199	1 file changed, 3 insertions(+), 2 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	200
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	201	diff --git a/src/Xv.c b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	202	index f9813eb..0a07d9d 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	203	--- a/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	204	+++ b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	205	@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	206	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	207
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	208	if(rep.num_formats) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	209	- int size = (rep.num_formats * sizeof(XvImageFormatValues));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	210	+ if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	211	+ ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	212
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	213	- if((ret = Xmalloc(size))) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	214	+ if (ret != NULL) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	215	xvImageFormatInfo Info;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	216	int i;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	217
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	218	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	219	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	220
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	221	From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	222	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	223	Date: Sat, 13 Apr 2013 00:03:03 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	224	Subject: [PATCH:libXv 5/5] integer overflow in XvCreateImage() [CVE-2013-1989
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	225	3/3]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	226
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	227	num_planes is a CARD32 and needs to be bounds checked before bit shifting
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	228	and adding to sizeof(XvImage) to come up with the total size to allocate,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	229	to avoid integer overflow leading to underallocation and writing data from
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	230	the network past the end of the allocated buffer.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	231
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	232	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	233	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	234	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	235	src/Xv.c \| 5 ++++-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	236	1 file changed, 4 insertions(+), 1 deletion(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	237
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	238	diff --git a/src/Xv.c b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	239	index 0a07d9d..f268f8e 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	240	--- a/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	241	+++ b/src/Xv.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	242	@@ -992,7 +992,10 @@ XvImage * XvCreateImage (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	243	return NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	244	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	245
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	246	- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	247	+ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage)))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	248	+ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	249	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	250	+ if (ret != NULL) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	251	ret->id = id;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	252	ret->width = rep.width;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	253	ret->height = rep.height;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	254	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	255	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	256

author	Alan Coopersmith <Alan.Coopersmith@Oracle.COM>
	Wed, 15 May 2013 13:44:02 -0700
changeset 1345	d5dacbb8de2b
permissions	-rw-r--r--