upstream/oracle/x-cons/x-s11-update-clone: open-src/lib/libXvMC/CVE-2013-1990.patch@d5dacbb8de2b (annotated)

1345 d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	1	From cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	2	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	3	Date: Sat, 13 Apr 2013 00:47:57 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	4	Subject: [PATCH:libXvMC 1/5] Use _XEatDataWords to avoid overflow of
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	5	rep.length shifting
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	6
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	7	rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	8
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	9	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	10	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	11	configure.ac \| 6 ++++++
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	12	src/XvMC.c \| 24 ++++++++++++++++++------
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	13	2 files changed, 24 insertions(+), 6 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	14
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	15	diff --git a/configure.ac b/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	16	index b44f80d..f9d59a1 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	17	--- a/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	18	+++ b/configure.ac
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	19	@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	20	# Obtain compiler/linker options for depedencies
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	21	PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	22
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	23	+# Check for _XEatDataWords function that may be patched into older Xlib release
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	24	+SAVE_LIBS="$LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	25	+LIBS="$XVMC_LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	26	+AC_CHECK_FUNCS([_XEatDataWords])
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	27	+LIBS="$SAVE_LIBS"
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	28	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	29	# Checks for library functions.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	30	AC_CHECK_FUNCS([shmat])
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	31
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	32	diff --git a/src/XvMC.c b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	33	index 5a4cf0d..b3e97ec 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	34	--- a/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	35	+++ b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	36	@@ -16,6 +16,18 @@
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	37	#include <sys/time.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	38	#include <X11/extensions/Xext.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	39	#include <X11/extensions/extutil.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	40	+#include <limits.h>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	41	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	42	+#ifndef HAVE__XEATDATAWORDS
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	43	+static inline void _XEatDataWords(Display *dpy, unsigned long n)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	44	+{
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	45	+# ifndef LONG64
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	46	+ if (n >= (ULONG_MAX >> 2))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	47	+ _XIOError(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	48	+# endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	49	+ _XEatData (dpy, n << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	50	+}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	51	+#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	52
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	53	static XExtensionInfo _xvmc_info_data;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	54	static XExtensionInfo *xvmc_info = &_xvmc_info_data;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	55	@@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display dpy, XvPortID port, int num)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	56	surface_info[i].flags = sinfo.flags;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	57	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	58	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	59	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	60	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	61	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	62
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	63	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	64	@@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	65	ret[i].scanline_order = Info.scanline_order;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	66	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	67	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	68	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	69	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	70	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	71
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	72	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	73	@@ -278,7 +290,7 @@ Status _xvmc_create_context (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	74	_XRead(dpy, (char)(priv_data), rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	75	*priv_count = rep.length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	76	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	77	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	78	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	79	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	80
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	81	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	82	@@ -359,7 +371,7 @@ Status _xvmc_create_surface (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	83	_XRead(dpy, (char)(priv_data), rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	84	*priv_count = rep.length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	85	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	86	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	87	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	88	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	89
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	90	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	91	@@ -449,7 +461,7 @@ Status _xvmc_create_subpicture (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	92	_XRead(dpy, (char)(priv_data), rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	93	*priv_count = rep.length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	94	} else
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	95	- _XEatData(dpy, rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	96	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	97	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	98
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	99	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	100	@@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	101
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	102	} else {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	103
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	104	- _XEatData(dpy, realSize);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	105	+ _XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	106	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	107	SyncHandle ();
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	108	return -1;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	109	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	110	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	111
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	112	From 2712383813b26475dc6713888414d842be57f8ca Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	113	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	114	Date: Sat, 13 Apr 2013 00:50:02 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	115	Subject: [PATCH:libXvMC 2/5] integer overflow in XvMCListSurfaceTypes()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	116	[CVE-2013-1990 1/2]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	117
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	118	rep.num is a CARD32 and needs to be bounds checked before multiplying
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	119	by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	120	to avoid integer overflow leading to underallocation and writing data from
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	121	the network past the end of the allocated buffer.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	122
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	123	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	124	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	125	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	126	src/XvMC.c \| 4 ++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	127	1 file changed, 2 insertions(+), 2 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	128
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	129	diff --git a/src/XvMC.c b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	130	index b3e97ec..5d8c2cf 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	131	--- a/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	132	+++ b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	133	@@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display dpy, XvPortID port, int num)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	134	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	135
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	136	if(rep.num > 0) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	137	- surface_info =
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	138	- (XvMCSurfaceInfo)Xmalloc(rep.num sizeof(XvMCSurfaceInfo));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	139	+ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo)))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	140	+ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	141
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	142	if(surface_info) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	143	xvmcSurfaceInfo sinfo;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	144	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	145	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	146
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	147	From 478d4e5873eeee2ebdce6673e4e3469816ab63b8 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	148	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	149	Date: Sat, 13 Apr 2013 00:50:02 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	150	Subject: [PATCH:libXvMC 3/5] integer overflow in XvMCListSubpictureTypes()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	151	[CVE-2013-1990 2/2]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	152
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	153	rep.num is a CARD32 and needs to be bounds checked before multiplying by
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	154	sizeof(XvImageFormatValues) to come up with the total size to allocate,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	155	to avoid integer overflow leading to underallocation and writing data from
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	156	the network past the end of the allocated buffer.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	157
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	158	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	159	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	160	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	161	src/XvMC.c \| 4 ++--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	162	1 file changed, 2 insertions(+), 2 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	163
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	164	diff --git a/src/XvMC.c b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	165	index 5d8c2cf..8d602ec 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	166	--- a/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	167	+++ b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	168	@@ -184,8 +184,8 @@ XvImageFormatValues * XvMCListSubpictureTypes (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	169	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	170
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	171	if(rep.num > 0) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	172	- ret =
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	173	- (XvImageFormatValues)Xmalloc(rep.num sizeof(XvImageFormatValues));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	174	+ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues)))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	175	+ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues));
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	176
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	177	if(ret) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	178	xvImageFormatInfo Info;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	179	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	180	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	181
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	182	From 5fd871e5f878810f8f8837725d548e07e89577ab Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	183	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	184	Date: Sat, 13 Apr 2013 00:50:02 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	185	Subject: [PATCH:libXvMC 4/5] integer overflow in _xvmc_create_*()
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	186
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	187	rep.length is a CARD32 and should be bounds checked before left-shifting
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	188	by 2 bits to come up with the total size to allocate, though in these
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	189	cases, no buffer overflow should occur here, since the XRead call is passed
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	190	the same rep.length << 2 length argument, but the *priv_count returned to
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	191	the caller could be interpreted or used to calculate a larger buffer size
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	192	than was actually allocated, leading them to go out of bounds.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	193
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	194	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	195	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	196	src/XvMC.c \| 9 ++++++---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	197	1 file changed, 6 insertions(+), 3 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	198
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	199	diff --git a/src/XvMC.c b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	200	index 8d602ec..d8bc59d 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	201	--- a/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	202	+++ b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	203	@@ -285,7 +285,8 @@ Status _xvmc_create_context (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	204	context->flags = rep.flags_return;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	205
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	206	if(rep.length) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	207	- *priv_data = Xmalloc(rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	208	+ if (rep.length < (INT_MAX >> 2))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	209	+ *priv_data = Xmalloc(rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	210	if(*priv_data) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	211	_XRead(dpy, (char)(priv_data), rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	212	*priv_count = rep.length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	213	@@ -366,7 +367,8 @@ Status _xvmc_create_surface (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	214	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	215
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	216	if(rep.length) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	217	- *priv_data = Xmalloc(rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	218	+ if (rep.length < (INT_MAX >> 2))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	219	+ *priv_data = Xmalloc(rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	220	if(*priv_data) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	221	_XRead(dpy, (char)(priv_data), rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	222	*priv_count = rep.length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	223	@@ -456,7 +458,8 @@ Status _xvmc_create_subpicture (
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	224	subpicture->component_order[3] = rep.component_order[3];
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	225
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	226	if(rep.length) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	227	- *priv_data = Xmalloc(rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	228	+ if (rep.length < (INT_MAX >> 2))
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	229	+ *priv_data = Xmalloc(rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	230	if(*priv_data) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	231	_XRead(dpy, (char)(priv_data), rep.length << 2);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	232	*priv_count = rep.length;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	233	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	234	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	235
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	236	From e9415ddef2ac81d4139bd32d5e9cda9394a60051 Mon Sep 17 00:00:00 2001
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	237	From: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	238	Date: Sat, 13 Apr 2013 01:20:08 -0700
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	239	Subject: [PATCH:libXvMC 5/5] Multiple unvalidated assumptions in
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	240	XvMCGetDRInfo() [CVE-2013-1999]
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	241
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	242	The individual string sizes is assumed to not be more than the amount of
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	243	data read from the network, and could cause buffer overflow if they are.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	244
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	245	The strings returned from the X server are assumed to be null terminated,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	246	and could cause callers to read past the end of the buffer if they are not.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	247
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	248	Also be sure to set the returned pointers to NULL, so callers don't try
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	249	accessing bad pointers on failure cases.
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	250
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	251	Reported-by: Ilja Van Sprundel <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	252	Signed-off-by: Alan Coopersmith <[email protected]>
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	253	---
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	254	src/XvMC.c \| 36 +++++++++++++++++++-----------------
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	255	1 file changed, 19 insertions(+), 17 deletions(-)
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	256
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	257	diff --git a/src/XvMC.c b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	258	index d8bc59d..cb42487 100644
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	259	--- a/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	260	+++ b/src/XvMC.c
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	261	@@ -499,7 +499,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	262	XExtDisplayInfo *info = xvmc_find_display(dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	263	xvmcGetDRInfoReply rep;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	264	xvmcGetDRInfoReq *req;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	265	- char *tmpBuf = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	266	CARD32 magic;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	267
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	268	#ifdef HAVE_SHMAT
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	269	@@ -510,6 +509,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	270	here.tz_dsttime = 0;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	271	#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	272
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	273	+ *name = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	274	+ *busID = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	275	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	276	XvMCCheckExtension (dpy, info, BadImplementation);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	277
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	278	LockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	279	@@ -568,31 +570,31 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	280	#endif
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	281
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	282	if (rep.length > 0) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	283	-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	284	- int realSize = rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	285	-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	286	- tmpBuf = (char *) Xmalloc(realSize);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	287	- if (tmpBuf) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	288	- name = (char ) Xmalloc(rep.nameLen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	289	- if (*name) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	290	- busID = (char ) Xmalloc(rep.busIDLen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	291	- if (! *busID) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	292	- XFree(*name);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	293	- XFree(tmpBuf);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	294	- }
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	295	- } else {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	296	- XFree(tmpBuf);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	297	+ unsigned long realSize = 0;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	298	+ char *tmpBuf = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	299	+
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	300	+ if (rep.length < (INT_MAX >> 2)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	301	+ realSize = rep.length << 2;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	302	+ if (realSize >= (rep.nameLen + rep.busIDLen)) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	303	+ tmpBuf = Xmalloc(realSize);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	304	+ *name = Xmalloc(rep.nameLen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	305	+ *busID = Xmalloc(rep.busIDLen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	306	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	307	}
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	308
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	309	if (name && busID && tmpBuf) {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	310	-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	311	_XRead(dpy, tmpBuf, realSize);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	312	strncpy(*name,tmpBuf,rep.nameLen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	313	+ name[rep.nameLen - 1] = '\0';
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	314	strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	315	+ busID[rep.busIDLen - 1] = '\0';
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	316	XFree(tmpBuf);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	317	-
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	318	} else {
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	319	+ XFree(*name);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	320	+ *name = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	321	+ XFree(*busID);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	322	+ *name = NULL;
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	323	+ XFree(tmpBuf);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	324
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	325	_XEatDataWords(dpy, rep.length);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	326	UnlockDisplay (dpy);
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	327	--
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	328	1.7.9.2
d5dacbb8de2b 16673783 problem in X11/LIBRARIES Alan Coopersmith <Alan.Coopersmith@Oracle.COM> parents: diff changeset	329

author	Alan Coopersmith <Alan.Coopersmith@Oracle.COM>
	Wed, 15 May 2013 13:44:02 -0700
changeset 1345	d5dacbb8de2b
child 1349	f430f604f391
permissions	-rw-r--r--