From e13eef2d952fdc082f76f66bebe6cee08c5144ab Mon Sep 17 00:00:00 2001

From: Alan Coopersmith <[email protected]>

Date: Fri, 26 Apr 2013 16:31:58 -0700

Subject: [PATCH:mesa 1/2] integer overflow in XF86DRIOpenConnection()

 [CVE-2013-1993 1/2]

busIdStringLength is a CARD32 and needs to be bounds checked before adding

one to it to come up with the total size to allocate, to avoid integer

overflow leading to underallocation and writing data from the network past

the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <[email protected]>

Signed-off-by: Alan Coopersmith <[email protected]>

---

 src/glx/XF86dri.c |    7 ++++++-

 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c

index b1cdc9b..8f53bd7 100644

--- a/src/glx/XF86dri.c

+++ b/src/glx/XF86dri.c

@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

 #include <X11/extensions/Xext.h>

 #include <X11/extensions/extutil.h>

 #include "xf86dristr.h"

+#include <limits.h>

 static XExtensionInfo _xf86dri_info_data;

 static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;

@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,

    }

    if (rep.length) {

-      if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {

+      if (rep.busIdStringLength < INT_MAX)

+         *busIdString = calloc(rep.busIdStringLength + 1, 1);

+      else

+         *busIdString = NULL;

+      if (*busIdString == NULL) {

          _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));

          UnlockDisplay(dpy);

          SyncHandle();

-- 

1.7.9.2

From 166bdb02bbbe73c11bc4b96a29f277695f4ae495 Mon Sep 17 00:00:00 2001

From: Alan Coopersmith <[email protected]>

Date: Fri, 26 Apr 2013 16:33:03 -0700

Subject: [PATCH:mesa 2/2] integer overflow in XF86DRIGetClientDriverName()

 [CVE-2013-1993 2/2]

clientDriverNameLength is a CARD32 and needs to be bounds checked before

adding one to it to come up with the total size to allocate, to avoid

integer overflow leading to underallocation and writing data from the

network past the end of the allocated buffer.

Reported-by: Ilja Van Sprundel <[email protected]>

Signed-off-by: Alan Coopersmith <[email protected]>

---

 src/glx/XF86dri.c |    8 +++++---

 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c

index 8f53bd7..56e3557 100644

--- a/src/glx/XF86dri.c

+++ b/src/glx/XF86dri.c

@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,

    *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;

    if (rep.length) {

-      if (!

-          (*clientDriverName =

-           (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {

+      if (rep.clientDriverNameLength < INT_MAX)

+         *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);

+      else

+         *clientDriverName = NULL;

+      if (*clientDriverName == NULL) {

          _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));

          UnlockDisplay(dpy);

          SyncHandle();

-- 

1.7.9.2