Mercurial Mercurial > upstream > oracle > x-cons > x-s11-update-clone / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
open-src/lib/libXinerama/CVE-2013-1985.patch
changeset 1345 d5dacbb8de2b 
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/lib/libXinerama/CVE-2013-1985.patch	Wed May 15 13:44:02 2013 -0700
@@ -0,0 +1,154 @@
+From 7ce3ce4be46087f9cc57cb415875abaaa961f734 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 4 May 2013 09:21:14 -0700
+Subject: [PATCH:libXinerama 1/2] Use _XEatDataWords to avoid overflow of
+ _XEatData calculations
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ configure.ac   |    6 ++++++
+ src/Xinerama.c |   19 ++++++++++++++++++-
+ 2 files changed, 24 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index e335508..046a1aa 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XINERAMA, x11 xext xextproto [xineramaproto >= 1.1.99.1])
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib releases
++SAVE_LIBS="$LIBS"
++LIBS="$XINERAMA_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ # Allow checking code with lint, sparse, etc.
+ XORG_WITH_LINT
+ LINT_FLAGS="${LINT_FLAGS} ${XINERAMA_CFLAGS}"
+diff --git a/src/Xinerama.c b/src/Xinerama.c
+index 7d7e4d8..04189b6 100644
+--- a/src/Xinerama.c
++++ b/src/Xinerama.c
+@@ -23,6 +23,10 @@ dealings in this Software without prior written authorization from Digital
+ Equipment Corporation.
+ ******************************************************************/
+ 
++#ifdef HAVE_CONFIG_H
++# include "config.h"
++#endif
++
+ #include <X11/Xlibint.h>
+ #include <X11/Xutil.h>
+ #include <X11/extensions/Xext.h>
+@@ -31,6 +35,19 @@ Equipment Corporation.
+ #include <X11/extensions/panoramiXproto.h>
+ #include <X11/extensions/Xinerama.h>
+ 
++#ifndef HAVE__XEATDATAWORDS
++#include <X11/Xmd.h>  /* for LONG64 on 64-bit platforms */
++#include <limits.h>
++
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ static XExtensionInfo _panoramiX_ext_info_data;
+ static XExtensionInfo *panoramiX_ext_info = &_panoramiX_ext_info_data;
+@@ -302,7 +319,7 @@ XineramaQueryScreens(
+ 
+ 	    *number = rep.number;
+ 	} else
+-	    _XEatData(dpy, rep.length << 2);
++	    _XEatDataWords(dpy, rep.length);
+     } else {
+ 	*number = 0;
+     }
+-- 
+1.7.9.2
+
+From 99c644fc8488657bdd106717df7446d606f9ef22 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Fri, 8 Mar 2013 19:55:55 -0800
+Subject: [PATCH:libXinerama 2/2] integer overflow in XineramaQueryScreens()
+ [CVE-2013-1985]
+
+If the reported number of screens is too large, the calculations to
+allocate memory for them may overflow, leaving us writing beyond the
+bounds of the allocation.
+
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+ src/Xinerama.c |   44 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/src/Xinerama.c b/src/Xinerama.c
+index 04189b6..67a35b5 100644
+--- a/src/Xinerama.c
++++ b/src/Xinerama.c
+@@ -303,24 +303,36 @@ XineramaQueryScreens(
+ 	return NULL;
+     }
+ 
+-    if(rep.number) {
+-	if((scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number))) {
++    /*
++     * rep.number is a CARD32 so could be as large as 2^32
++     * The X11 protocol limits the total screen size to 64k x 64k,
++     * and no screen can be smaller than a pixel.  While technically
++     * that means we could theoretically reach 2^32 screens, and that's
++     * not even taking overlap into account, Xorg is currently limited
++     * to 16 screens, and few known servers have a much higher limit,
++     * so 1024 seems more than enough to prevent both integer overflow
++     * and insane X server responses causing massive memory allocation.
++     */
++    if ((rep.number > 0) && (rep.number <= 1024))
++	scrnInfo = Xmalloc(sizeof(XineramaScreenInfo) * rep.number);
++    if (scrnInfo != NULL) {
++	int i;
++
++	for (i = 0; i < rep.number; i++) {
+ 	    xXineramaScreenInfo scratch;
+-	    int i;
+-
+-	    for(i = 0; i < rep.number; i++) {
+-		_XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo);
+-		scrnInfo[i].screen_number = i;
+-		scrnInfo[i].x_org 	  = scratch.x_org;
+-		scrnInfo[i].y_org 	  = scratch.y_org;
+-		scrnInfo[i].width 	  = scratch.width;
+-		scrnInfo[i].height 	  = scratch.height;
+-	    }
+-
+-	    *number = rep.number;
+-	} else
+-	    _XEatDataWords(dpy, rep.length);
++
++	    _XRead(dpy, (char*)(&scratch), sz_XineramaScreenInfo);
++
++	    scrnInfo[i].screen_number = i;
++	    scrnInfo[i].x_org	= scratch.x_org;
++	    scrnInfo[i].y_org	= scratch.y_org;
++	    scrnInfo[i].width	= scratch.width;
++	    scrnInfo[i].height	= scratch.height;
++	}
++
++	*number = rep.number;
+     } else {
++	_XEatDataWords(dpy, rep.length);
+ 	*number = 0;
+     }
+ 
+-- 
+1.7.9.2
+
upstream/oracle/x-cons/x-s11-update-clone