|
1 From b68b8dcddbb517cee2fe370ffd3bacae99c75299 Mon Sep 17 00:00:00 2001 |
|
2 From: Alan Coopersmith <[email protected]> |
|
3 Date: Fri, 1 Mar 2013 19:30:09 -0800 |
|
4 Subject: [PATCH:libX11 08/38] unvalidated lengths in XAllocColorCells() |
|
5 [CVE-2013-1997 1/15] |
|
6 |
|
7 If a broken server returned larger than requested values for nPixels or |
|
8 nMasks, XAllocColorCells would happily overflow the buffers provided by |
|
9 the caller to write the results into. |
|
10 |
|
11 Reported-by: Ilja Van Sprundel <[email protected]> |
|
12 Signed-off-by: Alan Coopersmith <[email protected]> |
|
13 Reviewed-by: Matthieu Herrb <[email protected]> |
|
14 --- |
|
15 src/AllCells.c | 9 +++++++-- |
|
16 1 file changed, 7 insertions(+), 2 deletions(-) |
|
17 |
|
18 diff --git a/src/AllCells.c b/src/AllCells.c |
|
19 index ddd9c22..6e97e11 100644 |
|
20 --- a/src/AllCells.c |
|
21 +++ b/src/AllCells.c |
|
22 @@ -53,8 +53,13 @@ Status XAllocColorCells( |
|
23 status = _XReply(dpy, (xReply *)&rep, 0, xFalse); |
|
24 |
|
25 if (status) { |
|
26 - _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels)); |
|
27 - _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks)); |
|
28 + if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) { |
|
29 + _XEatDataWords(dpy, rep.length); |
|
30 + status = 0; /* Failure */ |
|
31 + } else { |
|
32 + _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels)); |
|
33 + _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks)); |
|
34 + } |
|
35 } |
|
36 |
|
37 UnlockDisplay(dpy); |
|
38 -- |
|
39 1.7.9.2 |
|
40 |
|
41 From 638d668a99734cf68bea1b799aece5706fb18b08 Mon Sep 17 00:00:00 2001 |
|
42 From: Alan Coopersmith <[email protected]> |
|
43 Date: Fri, 1 Mar 2013 22:49:01 -0800 |
|
44 Subject: [PATCH:libX11 09/38] unvalidated index in |
|
45 _XkbReadGetDeviceInfoReply() [CVE-2013-1997 |
|
46 2/15] |
|
47 |
|
48 If the X server returns more buttons than are allocated in the XKB |
|
49 device info structures, out of bounds writes could occur. |
|
50 |
|
51 Reported-by: Ilja Van Sprundel <[email protected]> |
|
52 Signed-off-by: Alan Coopersmith <[email protected]> |
|
53 Reviewed-by: Matthieu Herrb <[email protected]> |
|
54 --- |
|
55 src/xkb/XKBExtDev.c | 6 ++++++ |
|
56 1 file changed, 6 insertions(+) |
|
57 |
|
58 diff --git a/src/xkb/XKBExtDev.c b/src/xkb/XKBExtDev.c |
|
59 index 353e769..dd383bc 100644 |
|
60 --- a/src/xkb/XKBExtDev.c |
|
61 +++ b/src/xkb/XKBExtDev.c |
|
62 @@ -181,6 +181,9 @@ int tmp; |
|
63 return tmp; |
|
64 } |
|
65 if (rep->nBtnsWanted>0) { |
|
66 + if (((unsigned short) rep->firstBtnWanted + rep->nBtnsWanted) |
|
67 + >= devi->num_btns) |
|
68 + goto BAILOUT; |
|
69 act= &devi->btn_acts[rep->firstBtnWanted]; |
|
70 bzero((char *)act,(rep->nBtnsWanted*sizeof(XkbAction))); |
|
71 } |
|
72 @@ -190,6 +193,9 @@ int tmp; |
|
73 goto BAILOUT; |
|
74 if (rep->nBtnsRtrn>0) { |
|
75 int size; |
|
76 + if (((unsigned short) rep->firstBtnRtrn + rep->nBtnsRtrn) |
|
77 + >= devi->num_btns) |
|
78 + goto BAILOUT; |
|
79 act= &devi->btn_acts[rep->firstBtnRtrn]; |
|
80 size= rep->nBtnsRtrn*SIZEOF(xkbActionWireDesc); |
|
81 if (!_XkbCopyFromReadBuffer(&buf,(char *)act,size)) |
|
82 -- |
|
83 1.7.9.2 |
|
84 |
|
85 From 1807e71a8a30aa2cff099708c508a25a9b6ba9da Mon Sep 17 00:00:00 2001 |
|
86 From: Alan Coopersmith <[email protected]> |
|
87 Date: Sat, 2 Mar 2013 09:12:47 -0800 |
|
88 Subject: [PATCH:libX11 10/38] unvalidated indexes in _XkbReadGeomShapes() |
|
89 [CVE-2013-1997 3/15] |
|
90 |
|
91 If the X server returns shape indexes outside the range of the number |
|
92 of shapes it told us to allocate, out of bounds memory access could occur. |
|
93 |
|
94 Reported-by: Ilja Van Sprundel <[email protected]> |
|
95 Signed-off-by: Alan Coopersmith <[email protected]> |
|
96 Reviewed-by: Matthieu Herrb <[email protected]> |
|
97 --- |
|
98 src/xkb/XKBGeom.c | 12 ++++++++---- |
|
99 1 file changed, 8 insertions(+), 4 deletions(-) |
|
100 |
|
101 diff --git a/src/xkb/XKBGeom.c b/src/xkb/XKBGeom.c |
|
102 index 7594a3d..4ad21f8 100644 |
|
103 --- a/src/xkb/XKBGeom.c |
|
104 +++ b/src/xkb/XKBGeom.c |
|
105 @@ -364,12 +364,16 @@ Status rtrn; |
|
106 } |
|
107 ol->num_points= olWire->nPoints; |
|
108 } |
|
109 - if (shapeWire->primaryNdx!=XkbNoShape) |
|
110 + if ((shapeWire->primaryNdx!=XkbNoShape) && |
|
111 + (shapeWire->primaryNdx < shapeWire->nOutlines)) |
|
112 shape->primary= &shape->outlines[shapeWire->primaryNdx]; |
|
113 - else shape->primary= NULL; |
|
114 - if (shapeWire->approxNdx!=XkbNoShape) |
|
115 + else |
|
116 + shape->primary= NULL; |
|
117 + if ((shapeWire->approxNdx!=XkbNoShape) && |
|
118 + (shapeWire->approxNdx < shapeWire->nOutlines)) |
|
119 shape->approx= &shape->outlines[shapeWire->approxNdx]; |
|
120 - else shape->approx= NULL; |
|
121 + else |
|
122 + shape->approx= NULL; |
|
123 XkbComputeShapeBounds(shape); |
|
124 } |
|
125 return Success; |
|
126 -- |
|
127 1.7.9.2 |
|
128 |
|
129 From 8215ec8bcad57c9707353626d782ff66ebe13b06 Mon Sep 17 00:00:00 2001 |
|
130 From: Alan Coopersmith <[email protected]> |
|
131 Date: Sat, 2 Mar 2013 09:18:26 -0800 |
|
132 Subject: [PATCH:libX11 11/38] unvalidated indexes in |
|
133 _XkbReadGetGeometryReply() [CVE-2013-1997 |
|
134 4/15] |
|
135 |
|
136 If the X server returns color indexes outside the range of the number of |
|
137 colors it told us to allocate, out of bounds memory access could occur. |
|
138 |
|
139 Reported-by: Ilja Van Sprundel <[email protected]> |
|
140 Signed-off-by: Alan Coopersmith <[email protected]> |
|
141 Reviewed-by: Matthieu Herrb <[email protected]> |
|
142 --- |
|
143 src/xkb/XKBGeom.c | 3 +++ |
|
144 1 file changed, 3 insertions(+) |
|
145 |
|
146 diff --git a/src/xkb/XKBGeom.c b/src/xkb/XKBGeom.c |
|
147 index 4ad21f8..7140a72 100644 |
|
148 --- a/src/xkb/XKBGeom.c |
|
149 +++ b/src/xkb/XKBGeom.c |
|
150 @@ -619,6 +619,9 @@ XkbGeometryPtr geom; |
|
151 if (status==Success) |
|
152 status= _XkbReadGeomKeyAliases(&buf,geom,rep); |
|
153 left= _XkbFreeReadBuffer(&buf); |
|
154 + if ((rep->baseColorNdx > geom->num_colors) || |
|
155 + (rep->labelColorNdx > geom->num_colors)) |
|
156 + status = BadLength; |
|
157 if ((status!=Success) || left || buf.error) { |
|
158 if (status==Success) |
|
159 status= BadLength; |
|
160 -- |
|
161 1.7.9.2 |
|
162 |
|
163 From 77009b1f37ec583ef5ff17834c8a5cf2413f9ba6 Mon Sep 17 00:00:00 2001 |
|
164 From: Alan Coopersmith <[email protected]> |
|
165 Date: Sat, 2 Mar 2013 09:28:33 -0800 |
|
166 Subject: [PATCH:libX11 12/38] unvalidated index in _XkbReadKeySyms() |
|
167 [CVE-2013-1997 5/15] |
|
168 |
|
169 If the X server returns keymap indexes outside the range of the number of |
|
170 keys it told us to allocate, out of bounds memory access could occur. |
|
171 |
|
172 Reported-by: Ilja Van Sprundel <[email protected]> |
|
173 Signed-off-by: Alan Coopersmith <[email protected]> |
|
174 Reviewed-by: Matthieu Herrb <[email protected]> |
|
175 --- |
|
176 src/xkb/XKBGetMap.c | 7 ++++++- |
|
177 1 file changed, 6 insertions(+), 1 deletion(-) |
|
178 |
|
179 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
180 index 30fb629..4a428d3 100644 |
|
181 --- a/src/xkb/XKBGetMap.c |
|
182 +++ b/src/xkb/XKBGetMap.c |
|
183 @@ -151,9 +151,12 @@ XkbClientMapPtr map; |
|
184 map= xkb->map; |
|
185 if (map->key_sym_map==NULL) { |
|
186 register int offset; |
|
187 + int size = xkb->max_key_code + 1; |
|
188 XkbSymMapPtr oldMap; |
|
189 xkbSymMapWireDesc *newMap; |
|
190 - map->key_sym_map= _XkbTypedCalloc((xkb->max_key_code+1),XkbSymMapRec); |
|
191 + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > size) |
|
192 + return BadLength; |
|
193 + map->key_sym_map= _XkbTypedCalloc(size,XkbSymMapRec); |
|
194 if (map->key_sym_map==NULL) |
|
195 return BadAlloc; |
|
196 if (map->syms==NULL) { |
|
197 @@ -209,6 +212,8 @@ XkbClientMapPtr map; |
|
198 KeySym * newSyms; |
|
199 int tmp; |
|
200 |
|
201 + if (((unsigned short)rep->firstKeySym + rep->nKeySyms) > map->num_syms) |
|
202 + return BadLength; |
|
203 oldMap = &map->key_sym_map[rep->firstKeySym]; |
|
204 for (i=0;i<(int)rep->nKeySyms;i++,oldMap++) { |
|
205 newMap= (xkbSymMapWireDesc *) |
|
206 -- |
|
207 1.7.9.2 |
|
208 |
|
209 From ffc188aa4cbc0b0d0c612b62e45c29d485f86402 Mon Sep 17 00:00:00 2001 |
|
210 From: Alan Coopersmith <[email protected]> |
|
211 Date: Sat, 2 Mar 2013 09:40:22 -0800 |
|
212 Subject: [PATCH:libX11 13/38] unvalidated index in _XkbReadKeyActions() |
|
213 [CVE-2013-1997 6/15] |
|
214 |
|
215 If the X server returns key action indexes outside the range of the number |
|
216 of keys it told us to allocate, out of bounds memory access could occur. |
|
217 |
|
218 Reported-by: Ilja Van Sprundel <[email protected]> |
|
219 Signed-off-by: Alan Coopersmith <[email protected]> |
|
220 Reviewed-by: Matthieu Herrb <[email protected]> |
|
221 --- |
|
222 src/xkb/XKBGetMap.c | 4 ++++ |
|
223 1 file changed, 4 insertions(+) |
|
224 |
|
225 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
226 index 4a428d3..86ecf9d 100644 |
|
227 --- a/src/xkb/XKBGetMap.c |
|
228 +++ b/src/xkb/XKBGetMap.c |
|
229 @@ -269,6 +269,10 @@ Status ret = Success; |
|
230 symMap = &info->map->key_sym_map[rep->firstKeyAct]; |
|
231 for (i=0;i<(int)rep->nKeyActs;i++,symMap++) { |
|
232 if (numDesc[i]==0) { |
|
233 + if ((i + rep->firstKeyAct) > (info->max_key_code + 1)) { |
|
234 + ret = BadLength; |
|
235 + goto done; |
|
236 + } |
|
237 info->server->key_acts[i+rep->firstKeyAct]= 0; |
|
238 } |
|
239 else { |
|
240 -- |
|
241 1.7.9.2 |
|
242 |
|
243 From 9f3d45b62875e7861deeecf849f90520395ee655 Mon Sep 17 00:00:00 2001 |
|
244 From: Alan Coopersmith <[email protected]> |
|
245 Date: Sat, 2 Mar 2013 10:39:21 -0800 |
|
246 Subject: [PATCH:libX11 14/38] unvalidated index in _XkbReadKeyBehaviors() |
|
247 [CVE-2013-1997 7/15] |
|
248 |
|
249 If the X server returns key behavior indexes outside the range of the number |
|
250 of keys it told us to allocate, out of bounds memory writes could occur. |
|
251 |
|
252 Reported-by: Ilja Van Sprundel <[email protected]> |
|
253 Signed-off-by: Alan Coopersmith <[email protected]> |
|
254 Reviewed-by: Matthieu Herrb <[email protected]> |
|
255 --- |
|
256 src/xkb/XKBGetMap.c | 6 ++++-- |
|
257 1 file changed, 4 insertions(+), 2 deletions(-) |
|
258 |
|
259 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
260 index 86ecf9d..af93a5c 100644 |
|
261 --- a/src/xkb/XKBGetMap.c |
|
262 +++ b/src/xkb/XKBGetMap.c |
|
263 @@ -305,8 +305,10 @@ register int i; |
|
264 xkbBehaviorWireDesc *wire; |
|
265 |
|
266 if ( rep->totalKeyBehaviors>0 ) { |
|
267 + int size = xkb->max_key_code + 1; |
|
268 + if ( ((int) rep->firstKeyBehavior + rep->nKeyBehaviors) > size) |
|
269 + return BadLength; |
|
270 if ( xkb->server->behaviors == NULL ) { |
|
271 - int size = xkb->max_key_code+1; |
|
272 xkb->server->behaviors = _XkbTypedCalloc(size,XkbBehavior); |
|
273 if (xkb->server->behaviors==NULL) |
|
274 return BadAlloc; |
|
275 @@ -318,7 +320,7 @@ xkbBehaviorWireDesc *wire; |
|
276 for (i=0;i<rep->totalKeyBehaviors;i++) { |
|
277 wire= (xkbBehaviorWireDesc *)_XkbGetReadBufferPtr(buf, |
|
278 SIZEOF(xkbBehaviorWireDesc)); |
|
279 - if (wire==NULL) |
|
280 + if (wire==NULL || wire->key >= size) |
|
281 return BadLength; |
|
282 xkb->server->behaviors[wire->key].type= wire->type; |
|
283 xkb->server->behaviors[wire->key].data= wire->data; |
|
284 -- |
|
285 1.7.9.2 |
|
286 |
|
287 From b837305efa896d4bab4932faffb30d53cec546a3 Mon Sep 17 00:00:00 2001 |
|
288 From: Alan Coopersmith <[email protected]> |
|
289 Date: Sat, 2 Mar 2013 10:51:51 -0800 |
|
290 Subject: [PATCH:libX11 15/38] unvalidated index in _XkbReadModifierMap() |
|
291 [CVE-2013-1997 8/15] |
|
292 |
|
293 If the X server returns modifier map indexes outside the range of the number |
|
294 of keys it told us to allocate, out of bounds memory writes could occur. |
|
295 |
|
296 Reported-by: Ilja Van Sprundel <[email protected]> |
|
297 Signed-off-by: Alan Coopersmith <[email protected]> |
|
298 Reviewed-by: Matthieu Herrb <[email protected]> |
|
299 --- |
|
300 src/xkb/XKBGetMap.c | 5 +++++ |
|
301 1 file changed, 5 insertions(+) |
|
302 |
|
303 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
304 index af93a5c..a68455b 100644 |
|
305 --- a/src/xkb/XKBGetMap.c |
|
306 +++ b/src/xkb/XKBGetMap.c |
|
307 @@ -390,6 +390,9 @@ register int i; |
|
308 unsigned char *wire; |
|
309 |
|
310 if ( rep->totalModMapKeys>0 ) { |
|
311 + if ( ((int)rep->firstModMapKey + rep->nModMapKeys) > |
|
312 + (xkb->max_key_code + 1)) |
|
313 + return BadLength; |
|
314 if ((xkb->map->modmap==NULL)&& |
|
315 (XkbAllocClientMap(xkb,XkbModifierMapMask,0)!=Success)) { |
|
316 return BadAlloc; |
|
317 @@ -402,6 +405,8 @@ unsigned char *wire; |
|
318 if (!wire) |
|
319 return BadLength; |
|
320 for (i=0;i<rep->totalModMapKeys;i++,wire+=2) { |
|
321 + if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code) |
|
322 + return BadLength; |
|
323 xkb->map->modmap[wire[0]]= wire[1]; |
|
324 } |
|
325 } |
|
326 -- |
|
327 1.7.9.2 |
|
328 |
|
329 From d71c0d7d138f8d15e7f4cfe747329405f0644423 Mon Sep 17 00:00:00 2001 |
|
330 From: Alan Coopersmith <[email protected]> |
|
331 Date: Sat, 2 Mar 2013 11:04:44 -0800 |
|
332 Subject: [PATCH:libX11 16/38] unvalidated index in |
|
333 _XkbReadExplicitComponents() [CVE-2013-1997 |
|
334 9/15] |
|
335 |
|
336 If the X server returns key indexes outside the range of the number of |
|
337 keys it told us to allocate, out of bounds memory writes could occur. |
|
338 |
|
339 Reported-by: Ilja Van Sprundel <[email protected]> |
|
340 Signed-off-by: Alan Coopersmith <[email protected]> |
|
341 Reviewed-by: Matthieu Herrb <[email protected]> |
|
342 --- |
|
343 src/xkb/XKBGetMap.c | 6 +++++- |
|
344 1 file changed, 5 insertions(+), 1 deletion(-) |
|
345 |
|
346 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
347 index a68455b..ea77f2a 100644 |
|
348 --- a/src/xkb/XKBGetMap.c |
|
349 +++ b/src/xkb/XKBGetMap.c |
|
350 @@ -362,8 +362,10 @@ register int i; |
|
351 unsigned char *wire; |
|
352 |
|
353 if ( rep->totalKeyExplicit>0 ) { |
|
354 + int size = xkb->max_key_code + 1; |
|
355 + if ( ((int) rep->firstKeyExplicit + rep->nKeyExplicit) > size) |
|
356 + return BadLength; |
|
357 if ( xkb->server->explicit == NULL ) { |
|
358 - int size = xkb->max_key_code+1; |
|
359 xkb->server->explicit = _XkbTypedCalloc(size,unsigned char); |
|
360 if (xkb->server->explicit==NULL) |
|
361 return BadAlloc; |
|
362 @@ -377,6 +379,8 @@ unsigned char *wire; |
|
363 if (!wire) |
|
364 return BadLength; |
|
365 for (i=0;i<rep->totalKeyExplicit;i++,wire+=2) { |
|
366 + if (wire[0] > xkb->max_key_code || wire[1] > xkb->max_key_code) |
|
367 + return BadLength; |
|
368 xkb->server->explicit[wire[0]]= wire[1]; |
|
369 } |
|
370 } |
|
371 -- |
|
372 1.7.9.2 |
|
373 |
|
374 From fb927b6dbc0172c2ca63b5ad243bfb98bb61fc4c Mon Sep 17 00:00:00 2001 |
|
375 From: Alan Coopersmith <[email protected]> |
|
376 Date: Sat, 2 Mar 2013 11:01:04 -0800 |
|
377 Subject: [PATCH:libX11 17/38] unvalidated index in _XkbReadVirtualModMap() |
|
378 [CVE-2013-1997 10/15] |
|
379 |
|
380 If the X server returns modifier map indexes outside the range of the number |
|
381 of keys it told us to allocate, out of bounds memory writes could occur. |
|
382 |
|
383 Reported-by: Ilja Van Sprundel <[email protected]> |
|
384 Signed-off-by: Alan Coopersmith <[email protected]> |
|
385 Reviewed-by: Matthieu Herrb <[email protected]> |
|
386 --- |
|
387 src/xkb/XKBGetMap.c | 3 +++ |
|
388 1 file changed, 3 insertions(+) |
|
389 |
|
390 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
391 index ea77f2a..5551298 100644 |
|
392 --- a/src/xkb/XKBGetMap.c |
|
393 +++ b/src/xkb/XKBGetMap.c |
|
394 @@ -425,6 +425,9 @@ xkbVModMapWireDesc * wire; |
|
395 XkbServerMapPtr srv; |
|
396 |
|
397 if ( rep->totalVModMapKeys>0 ) { |
|
398 + if (((int) rep->firstVModMapKey + rep->nVModMapKeys) |
|
399 + > xkb->max_key_code) |
|
400 + return BadLength; |
|
401 if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&& |
|
402 (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) { |
|
403 return BadAlloc; |
|
404 -- |
|
405 1.7.9.2 |
|
406 |
|
407 From f06f3cdc343fd6d42021dba055f080b617432301 Mon Sep 17 00:00:00 2001 |
|
408 From: Alan Coopersmith <[email protected]> |
|
409 Date: Sat, 2 Mar 2013 11:11:08 -0800 |
|
410 Subject: [PATCH:libX11 18/38] unvalidated index/length in |
|
411 _XkbReadGetNamesReply() [CVE-2013-1997 11/15] |
|
412 |
|
413 If the X server returns key name indexes outside the range of the number |
|
414 of keys it told us to allocate, out of bounds memory writes could occur. |
|
415 |
|
416 Reported-by: Ilja Van Sprundel <[email protected]> |
|
417 Signed-off-by: Alan Coopersmith <[email protected]> |
|
418 Reviewed-by: Matthieu Herrb <[email protected]> |
|
419 --- |
|
420 src/xkb/XKBNames.c | 2 ++ |
|
421 1 file changed, 2 insertions(+) |
|
422 |
|
423 diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c |
|
424 index 0276c05..0f1e48e 100644 |
|
425 --- a/src/xkb/XKBNames.c |
|
426 +++ b/src/xkb/XKBNames.c |
|
427 @@ -180,6 +180,8 @@ _XkbReadGetNamesReply( Display * dpy, |
|
428 nKeys= xkb->max_key_code+1; |
|
429 names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec); |
|
430 } |
|
431 + else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code) |
|
432 + goto BAILOUT; |
|
433 if (names->keys!=NULL) { |
|
434 if (!_XkbCopyFromReadBuffer(&buf, |
|
435 (char *)&names->keys[rep->firstKey], |
|
436 -- |
|
437 1.7.9.2 |
|
438 |
|
439 From d851a64b0704f79550a9507a34d057c7415f6516 Mon Sep 17 00:00:00 2001 |
|
440 From: Alan Coopersmith <[email protected]> |
|
441 Date: Sat, 2 Mar 2013 11:25:25 -0800 |
|
442 Subject: [PATCH:libX11 19/38] unvalidated length in _XimXGetReadData() |
|
443 [CVE-2013-1997 12/15] |
|
444 |
|
445 Check the provided buffer size against the amount of data we're going to |
|
446 write into it, not against the reported length from the ClientMessage. |
|
447 |
|
448 Reported-by: Ilja Van Sprundel <[email protected]> |
|
449 Signed-off-by: Alan Coopersmith <[email protected]> |
|
450 Reviewed-by: Matthieu Herrb <[email protected]> |
|
451 --- |
|
452 modules/im/ximcp/imTrX.c | 2 +- |
|
453 1 file changed, 1 insertion(+), 1 deletion(-) |
|
454 |
|
455 diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c |
|
456 index 1412d70..76ff20e 100644 |
|
457 --- a/modules/im/ximcp/imTrX.c |
|
458 +++ b/modules/im/ximcp/imTrX.c |
|
459 @@ -372,7 +372,7 @@ _XimXGetReadData( |
|
460 XFree(prop_ret); |
|
461 return False; |
|
462 } |
|
463 - if (buf_len >= length) { |
|
464 + if (buf_len >= (int)nitems) { |
|
465 (void)memcpy(buf, prop_ret, (int)nitems); |
|
466 *ret_len = (int)nitems; |
|
467 if (bytes_after_ret > 0) { |
|
468 -- |
|
469 1.7.9.2 |
|
470 |
|
471 From 59ba5744cdb8831e53f6340279d9841a037c48bc Mon Sep 17 00:00:00 2001 |
|
472 From: Alan Coopersmith <[email protected]> |
|
473 Date: Sat, 2 Mar 2013 15:08:21 -0800 |
|
474 Subject: [PATCH:libX11 30/38] Avoid overflows in XListFonts() [CVE-2013-1997 |
|
475 13/15] |
|
476 |
|
477 Ensure that when breaking the returned list into individual strings, |
|
478 we don't walk past the end of allocated memory to write the '\0' bytes |
|
479 |
|
480 Signed-off-by: Alan Coopersmith <[email protected]> |
|
481 Reviewed-by: Matthieu Herrb <[email protected]> |
|
482 --- |
|
483 src/FontNames.c | 35 ++++++++++++++++++++++------------- |
|
484 1 file changed, 22 insertions(+), 13 deletions(-) |
|
485 |
|
486 diff --git a/src/FontNames.c b/src/FontNames.c |
|
487 index 3018cf2..b5bc7b4 100644 |
|
488 --- a/src/FontNames.c |
|
489 +++ b/src/FontNames.c |
|
490 @@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group. |
|
491 #include <config.h> |
|
492 #endif |
|
493 #include "Xlibint.h" |
|
494 +#include <limits.h> |
|
495 |
|
496 char ** |
|
497 XListFonts( |
|
498 @@ -40,11 +41,13 @@ int *actualCount) /* RETURN */ |
|
499 register long nbytes; |
|
500 register unsigned i; |
|
501 register int length; |
|
502 - char **flist; |
|
503 - char *ch; |
|
504 + char **flist = NULL; |
|
505 + char *ch = NULL; |
|
506 + char *chend; |
|
507 + int count = 0; |
|
508 xListFontsReply rep; |
|
509 register xListFontsReq *req; |
|
510 - register long rlen; |
|
511 + unsigned long rlen; |
|
512 |
|
513 LockDisplay(dpy); |
|
514 GetReq(ListFonts, req); |
|
515 @@ -62,15 +65,17 @@ int *actualCount) /* RETURN */ |
|
516 } |
|
517 |
|
518 if (rep.nFonts) { |
|
519 - flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *)); |
|
520 - rlen = rep.length << 2; |
|
521 - ch = (char *) Xmalloc((unsigned) (rlen + 1)); |
|
522 + flist = Xmalloc (rep.nFonts * sizeof(char *)); |
|
523 + if (rep.length < (LONG_MAX >> 2)) { |
|
524 + rlen = rep.length << 2; |
|
525 + ch = Xmalloc(rlen + 1); |
|
526 /* +1 to leave room for last null-terminator */ |
|
527 + } |
|
528 |
|
529 if ((! flist) || (! ch)) { |
|
530 if (flist) Xfree((char *) flist); |
|
531 if (ch) Xfree(ch); |
|
532 - _XEatData(dpy, (unsigned long) rlen); |
|
533 + _XEatDataWords(dpy, rep.length); |
|
534 *actualCount = 0; |
|
535 UnlockDisplay(dpy); |
|
536 SyncHandle(); |
|
537 @@ -81,17 +86,21 @@ int *actualCount) /* RETURN */ |
|
538 /* |
|
539 * unpack into null terminated strings. |
|
540 */ |
|
541 + chend = ch + (rlen + 1); |
|
542 length = *(unsigned char *)ch; |
|
543 *ch = 1; /* make sure it is non-zero for XFreeFontNames */ |
|
544 for (i = 0; i < rep.nFonts; i++) { |
|
545 - flist[i] = ch + 1; /* skip over length */ |
|
546 - ch += length + 1; /* find next length ... */ |
|
547 - length = *(unsigned char *)ch; |
|
548 - *ch = '\0'; /* and replace with null-termination */ |
|
549 + if (ch + length < chend) { |
|
550 + flist[i] = ch + 1; /* skip over length */ |
|
551 + ch += length + 1; /* find next length ... */ |
|
552 + length = *(unsigned char *)ch; |
|
553 + *ch = '\0'; /* and replace with null-termination */ |
|
554 + count++; |
|
555 + } else |
|
556 + flist[i] = NULL; |
|
557 } |
|
558 } |
|
559 - else flist = (char **) NULL; |
|
560 - *actualCount = rep.nFonts; |
|
561 + *actualCount = count; |
|
562 UnlockDisplay(dpy); |
|
563 SyncHandle(); |
|
564 return (flist); |
|
565 -- |
|
566 1.7.9.2 |
|
567 |
|
568 From b5686ac6ad36e7742f8bba5b906bf2c57ba18955 Mon Sep 17 00:00:00 2001 |
|
569 From: Alan Coopersmith <[email protected]> |
|
570 Date: Sat, 2 Mar 2013 15:08:21 -0800 |
|
571 Subject: [PATCH:libX11 31/38] Avoid overflows in XGetFontPath() |
|
572 [CVE-2013-1997 14/15] |
|
573 |
|
574 Ensure that when breaking the returned list into individual strings, |
|
575 we don't walk past the end of allocated memory to write the '\0' bytes |
|
576 |
|
577 Signed-off-by: Alan Coopersmith <[email protected]> |
|
578 Reviewed-by: Matthieu Herrb <[email protected]> |
|
579 --- |
|
580 src/GetFPath.c | 36 ++++++++++++++++++++++-------------- |
|
581 1 file changed, 22 insertions(+), 14 deletions(-) |
|
582 |
|
583 diff --git a/src/GetFPath.c b/src/GetFPath.c |
|
584 index 7d497c9..abd4a5d 100644 |
|
585 --- a/src/GetFPath.c |
|
586 +++ b/src/GetFPath.c |
|
587 @@ -28,15 +28,18 @@ in this Software without prior written authorization from The Open Group. |
|
588 #include <config.h> |
|
589 #endif |
|
590 #include "Xlibint.h" |
|
591 +#include <limits.h> |
|
592 |
|
593 char **XGetFontPath( |
|
594 register Display *dpy, |
|
595 int *npaths) /* RETURN */ |
|
596 { |
|
597 xGetFontPathReply rep; |
|
598 - register long nbytes; |
|
599 - char **flist; |
|
600 - char *ch; |
|
601 + unsigned long nbytes; |
|
602 + char **flist = NULL; |
|
603 + char *ch = NULL; |
|
604 + char *chend; |
|
605 + int count = 0; |
|
606 register unsigned i; |
|
607 register int length; |
|
608 register xReq *req; |
|
609 @@ -46,16 +49,17 @@ char **XGetFontPath( |
|
610 (void) _XReply (dpy, (xReply *) &rep, 0, xFalse); |
|
611 |
|
612 if (rep.nPaths) { |
|
613 - flist = (char **) |
|
614 - Xmalloc((unsigned) rep.nPaths * sizeof (char *)); |
|
615 - nbytes = (long)rep.length << 2; |
|
616 - ch = (char *) Xmalloc ((unsigned) (nbytes + 1)); |
|
617 + flist = Xmalloc(rep.nPaths * sizeof (char *)); |
|
618 + if (rep.length < (LONG_MAX >> 2)) { |
|
619 + nbytes = (unsigned long) rep.length << 2; |
|
620 + ch = Xmalloc (nbytes + 1); |
|
621 /* +1 to leave room for last null-terminator */ |
|
622 + } |
|
623 |
|
624 if ((! flist) || (! ch)) { |
|
625 if (flist) Xfree((char *) flist); |
|
626 if (ch) Xfree(ch); |
|
627 - _XEatData(dpy, (unsigned long) nbytes); |
|
628 + _XEatDataWords(dpy, rep.length); |
|
629 UnlockDisplay(dpy); |
|
630 SyncHandle(); |
|
631 return (char **) NULL; |
|
632 @@ -65,16 +69,20 @@ char **XGetFontPath( |
|
633 /* |
|
634 * unpack into null terminated strings. |
|
635 */ |
|
636 + chend = ch + (nbytes + 1); |
|
637 length = *ch; |
|
638 for (i = 0; i < rep.nPaths; i++) { |
|
639 - flist[i] = ch+1; /* skip over length */ |
|
640 - ch += length + 1; /* find next length ... */ |
|
641 - length = *ch; |
|
642 - *ch = '\0'; /* and replace with null-termination */ |
|
643 + if (ch + length < chend) { |
|
644 + flist[i] = ch+1; /* skip over length */ |
|
645 + ch += length + 1; /* find next length ... */ |
|
646 + length = *ch; |
|
647 + *ch = '\0'; /* and replace with null-termination */ |
|
648 + count++; |
|
649 + } else |
|
650 + flist[i] = NULL; |
|
651 } |
|
652 } |
|
653 - else flist = NULL; |
|
654 - *npaths = rep.nPaths; |
|
655 + *npaths = count; |
|
656 UnlockDisplay(dpy); |
|
657 SyncHandle(); |
|
658 return (flist); |
|
659 -- |
|
660 1.7.9.2 |
|
661 |
|
662 From 910875c83c9e6741aba258f44f94b3d69f804d00 Mon Sep 17 00:00:00 2001 |
|
663 From: Alan Coopersmith <[email protected]> |
|
664 Date: Sat, 2 Mar 2013 15:08:21 -0800 |
|
665 Subject: [PATCH:libX11 32/38] Avoid overflows in XListExtensions() |
|
666 [CVE-2013-1997 15/15] |
|
667 |
|
668 Ensure that when breaking the returned list into individual strings, |
|
669 we don't walk past the end of allocated memory to write the '\0' bytes |
|
670 |
|
671 Signed-off-by: Alan Coopersmith <[email protected]> |
|
672 Reviewed-by: Matthieu Herrb <[email protected]> |
|
673 --- |
|
674 src/ListExt.c | 36 ++++++++++++++++++++++-------------- |
|
675 1 file changed, 22 insertions(+), 14 deletions(-) |
|
676 |
|
677 diff --git a/src/ListExt.c b/src/ListExt.c |
|
678 index 16b522e..e925c47 100644 |
|
679 --- a/src/ListExt.c |
|
680 +++ b/src/ListExt.c |
|
681 @@ -28,18 +28,21 @@ in this Software without prior written authorization from The Open Group. |
|
682 #include <config.h> |
|
683 #endif |
|
684 #include "Xlibint.h" |
|
685 +#include <limits.h> |
|
686 |
|
687 char **XListExtensions( |
|
688 register Display *dpy, |
|
689 int *nextensions) /* RETURN */ |
|
690 { |
|
691 xListExtensionsReply rep; |
|
692 - char **list; |
|
693 - char *ch; |
|
694 + char **list = NULL; |
|
695 + char *ch = NULL; |
|
696 + char *chend; |
|
697 + int count = 0; |
|
698 register unsigned i; |
|
699 register int length; |
|
700 register xReq *req; |
|
701 - register long rlen; |
|
702 + unsigned long rlen; |
|
703 |
|
704 LockDisplay(dpy); |
|
705 GetEmptyReq (ListExtensions, req); |
|
706 @@ -51,16 +54,17 @@ char **XListExtensions( |
|
707 } |
|
708 |
|
709 if (rep.nExtensions) { |
|
710 - list = (char **) Xmalloc ( |
|
711 - (unsigned)(rep.nExtensions * sizeof (char *))); |
|
712 - rlen = rep.length << 2; |
|
713 - ch = (char *) Xmalloc ((unsigned) rlen + 1); |
|
714 + list = Xmalloc (rep.nExtensions * sizeof (char *)); |
|
715 + if (rep.length < (LONG_MAX >> 2)) { |
|
716 + rlen = rep.length << 2; |
|
717 + ch = Xmalloc (rlen + 1); |
|
718 /* +1 to leave room for last null-terminator */ |
|
719 + } |
|
720 |
|
721 if ((!list) || (!ch)) { |
|
722 if (list) Xfree((char *) list); |
|
723 if (ch) Xfree((char *) ch); |
|
724 - _XEatData(dpy, (unsigned long) rlen); |
|
725 + _XEatDataWords(dpy, rep.length); |
|
726 UnlockDisplay(dpy); |
|
727 SyncHandle(); |
|
728 return (char **) NULL; |
|
729 @@ -70,17 +74,21 @@ char **XListExtensions( |
|
730 /* |
|
731 * unpack into null terminated strings. |
|
732 */ |
|
733 + chend = ch + (rlen + 1); |
|
734 length = *ch; |
|
735 for (i = 0; i < rep.nExtensions; i++) { |
|
736 - list[i] = ch+1; /* skip over length */ |
|
737 - ch += length + 1; /* find next length ... */ |
|
738 - length = *ch; |
|
739 - *ch = '\0'; /* and replace with null-termination */ |
|
740 + if (ch + length < chend) { |
|
741 + list[i] = ch+1; /* skip over length */ |
|
742 + ch += length + 1; /* find next length ... */ |
|
743 + length = *ch; |
|
744 + *ch = '\0'; /* and replace with null-termination */ |
|
745 + count++; |
|
746 + } else |
|
747 + list[i] = NULL; |
|
748 } |
|
749 } |
|
750 - else list = (char **) NULL; |
|
751 |
|
752 - *nextensions = rep.nExtensions; |
|
753 + *nextensions = count; |
|
754 UnlockDisplay(dpy); |
|
755 SyncHandle(); |
|
756 return (list); |
|
757 -- |
|
758 1.7.9.2 |
|
759 |
|
760 From 134944bfb0963151e4e65b9b17c5431a41acd28e Mon Sep 17 00:00:00 2001 |
|
761 From: Alan Coopersmith <[email protected]> |
|
762 Date: Sun, 31 Mar 2013 12:22:35 -0700 |
|
763 Subject: [PATCH:libX11 37/38] _XkbReadGetMapReply: reject maxKeyCodes smaller |
|
764 than the minKeyCode |
|
765 |
|
766 Various other bounds checks in the code assume this is true, so |
|
767 enforce it when we first get the data from the X server. |
|
768 |
|
769 Signed-off-by: Alan Coopersmith <[email protected]> |
|
770 --- |
|
771 src/xkb/XKBGetMap.c | 2 ++ |
|
772 1 file changed, 2 insertions(+) |
|
773 |
|
774 diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c |
|
775 index d4cc199..862807a 100644 |
|
776 --- a/src/xkb/XKBGetMap.c |
|
777 +++ b/src/xkb/XKBGetMap.c |
|
778 @@ -482,6 +482,8 @@ unsigned mask; |
|
779 |
|
780 if ( xkb->device_spec == XkbUseCoreKbd ) |
|
781 xkb->device_spec= rep->deviceID; |
|
782 + if ( rep->maxKeyCode < rep->minKeyCode ) |
|
783 + return BadImplementation; |
|
784 xkb->min_key_code = rep->minKeyCode; |
|
785 xkb->max_key_code = rep->maxKeyCode; |
|
786 |
|
787 -- |
|
788 1.7.9.2 |
|
789 |