|
1 From a886e8bcfe8ec9d1843bcb85fdb76176dc0f2a0c Mon Sep 17 00:00:00 2001 |
|
2 From: Alan Coopersmith <[email protected]> |
|
3 Date: Sat, 13 Apr 2013 20:49:43 -0700 |
|
4 Subject: [PATCH:xf86-video-openchrome 1/2] integer overflow in |
|
5 uniDRIOpenConnection() in |
|
6 libchromeXvMC* [CVE-2013-1994 |
|
7 1/2] |
|
8 |
|
9 busIdStringLength is a CARD32 and needs to be bounds checked before adding |
|
10 one to it to come up with the total size to allocate, to avoid integer |
|
11 overflow leading to underallocation and writing data from the network past |
|
12 the end of the allocated buffer. |
|
13 |
|
14 Reported-by: Ilja Van Sprundel <[email protected]> |
|
15 Signed-off-by: Alan Coopersmith <[email protected]> |
|
16 --- |
|
17 libxvmc/xf86dri.c | 7 ++++++- |
|
18 1 file changed, 6 insertions(+), 1 deletion(-) |
|
19 |
|
20 diff --git a/libxvmc/xf86dri.c b/libxvmc/xf86dri.c |
|
21 index 1feb232..fba7583 100644 |
|
22 --- a/libxvmc/xf86dri.c |
|
23 +++ b/libxvmc/xf86dri.c |
|
24 @@ -42,6 +42,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. |
|
25 #include <X11/extensions/Xext.h> |
|
26 #include <X11/extensions/extutil.h> |
|
27 #include "xf86dristr.h" |
|
28 +#include <limits.h> |
|
29 |
|
30 static XExtensionInfo _xf86dri_info_data; |
|
31 static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; |
|
32 @@ -203,7 +204,11 @@ uniDRIOpenConnection(dpy, screen, hSAREA, busIdString) |
|
33 } |
|
34 #endif |
|
35 if (rep.length) { |
|
36 - if (!(*busIdString = (char *)Xcalloc(rep.busIdStringLength + 1, 1))) { |
|
37 + if (rep.busIdStringLength < INT_MAX) |
|
38 + *busIdString = Xcalloc(rep.busIdStringLength + 1, 1); |
|
39 + else |
|
40 + *busIdString = NULL; |
|
41 + if (*busIdString == NULL) { |
|
42 _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); |
|
43 UnlockDisplay(dpy); |
|
44 SyncHandle(); |
|
45 -- |
|
46 1.7.9.2 |
|
47 |
|
48 From 70fdbc0eeb99273d282c62d45f29b5f044bec08e Mon Sep 17 00:00:00 2001 |
|
49 From: Alan Coopersmith <[email protected]> |
|
50 Date: Sat, 13 Apr 2013 20:57:07 -0700 |
|
51 Subject: [PATCH:xf86-video-openchrome 2/2] integer overflow in |
|
52 uniDRIGetClientDriverName() in |
|
53 libchromeXvMC* [CVE-2013-1994 |
|
54 2/2] |
|
55 |
|
56 clientDriverNameLength is a CARD32 and needs to be bounds checked before |
|
57 adding one to it to come up with the total size to allocate, to avoid |
|
58 integer overflow leading to underallocation and writing data from the |
|
59 network past the end of the allocated buffer. |
|
60 |
|
61 Reported-by: Ilja Van Sprundel <[email protected]> |
|
62 Signed-off-by: Alan Coopersmith <[email protected]> |
|
63 --- |
|
64 libxvmc/xf86dri.c | 7 +++++-- |
|
65 1 file changed, 5 insertions(+), 2 deletions(-) |
|
66 |
|
67 diff --git a/libxvmc/xf86dri.c b/libxvmc/xf86dri.c |
|
68 index fba7583..c5702ec 100644 |
|
69 --- a/libxvmc/xf86dri.c |
|
70 +++ b/libxvmc/xf86dri.c |
|
71 @@ -314,8 +314,11 @@ uniDRIGetClientDriverName(dpy, screen, ddxDriverMajorVersion, |
|
72 *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; |
|
73 |
|
74 if (rep.length) { |
|
75 - if (!(*clientDriverName = |
|
76 - (char *)Xcalloc(rep.clientDriverNameLength + 1, 1))) { |
|
77 + if (rep.clientDriverNameLength < INT_MAX) |
|
78 + *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1); |
|
79 + else |
|
80 + *clientDriverName = NULL; |
|
81 + if (*clientDriverName == NULL) { |
|
82 _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); |
|
83 UnlockDisplay(dpy); |
|
84 SyncHandle(); |
|
85 -- |
|
86 1.7.9.2 |
|
87 |