|
1 From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001 |
|
2 From: Alan Coopersmith <[email protected]> |
|
3 Date: Sat, 13 Apr 2013 00:28:34 -0700 |
|
4 Subject: [PATCH:libXv 1/5] Use _XEatDataWords to avoid overflow of rep.length |
|
5 shifting |
|
6 |
|
7 rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds |
|
8 |
|
9 Signed-off-by: Alan Coopersmith <[email protected]> |
|
10 --- |
|
11 configure.ac | 6 ++++++ |
|
12 src/Xv.c | 22 +++++++++++++++++++--- |
|
13 2 files changed, 25 insertions(+), 3 deletions(-) |
|
14 |
|
15 diff --git a/configure.ac b/configure.ac |
|
16 index 5494b5d..6a335db 100644 |
|
17 --- a/configure.ac |
|
18 +++ b/configure.ac |
|
19 @@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO |
|
20 # Obtain compiler/linker options for depedencies |
|
21 PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto) |
|
22 |
|
23 +# Check for _XEatDataWords function that may be patched into older Xlib release |
|
24 +SAVE_LIBS="$LIBS" |
|
25 +LIBS="$XV_LIBS" |
|
26 +AC_CHECK_FUNCS([_XEatDataWords]) |
|
27 +LIBS="$SAVE_LIBS" |
|
28 + |
|
29 # Allow checking code with lint, sparse, etc. |
|
30 XORG_WITH_LINT |
|
31 XORG_LINT_LIBRARY([Xv]) |
|
32 diff --git a/src/Xv.c b/src/Xv.c |
|
33 index b081e8a..5be1d95 100644 |
|
34 --- a/src/Xv.c |
|
35 +++ b/src/Xv.c |
|
36 @@ -49,11 +49,27 @@ SOFTWARE. |
|
37 ** |
|
38 */ |
|
39 |
|
40 +#ifdef HAVE_CONFIG_H |
|
41 +# include "config.h" |
|
42 +#endif |
|
43 + |
|
44 #include <stdio.h> |
|
45 #include "Xvlibint.h" |
|
46 #include <X11/extensions/Xext.h> |
|
47 #include <X11/extensions/extutil.h> |
|
48 #include <X11/extensions/XShm.h> |
|
49 +#include <limits.h> |
|
50 + |
|
51 +#ifndef HAVE__XEATDATAWORDS |
|
52 +static inline void _XEatDataWords(Display *dpy, unsigned long n) |
|
53 +{ |
|
54 +# ifndef LONG64 |
|
55 + if (n >= (ULONG_MAX >> 2)) |
|
56 + _XIOError(dpy); |
|
57 +# endif |
|
58 + _XEatData (dpy, n << 2); |
|
59 +} |
|
60 +#endif |
|
61 |
|
62 static XExtensionInfo _xv_info_data; |
|
63 static XExtensionInfo *xv_info = &_xv_info_data; |
|
64 @@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) |
|
65 (*num)++; |
|
66 } |
|
67 } else |
|
68 - _XEatData(dpy, rep.length << 2); |
|
69 + _XEatDataWords(dpy, rep.length); |
|
70 } |
|
71 |
|
72 UnlockDisplay(dpy); |
|
73 @@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats ( |
|
74 (*num)++; |
|
75 } |
|
76 } else |
|
77 - _XEatData(dpy, rep.length << 2); |
|
78 + _XEatDataWords(dpy, rep.length); |
|
79 } |
|
80 |
|
81 UnlockDisplay(dpy); |
|
82 @@ -976,7 +992,7 @@ XvImage * XvCreateImage ( |
|
83 _XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2); |
|
84 _XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2); |
|
85 } else |
|
86 - _XEatData(dpy, rep.length << 2); |
|
87 + _XEatDataWords(dpy, rep.length); |
|
88 |
|
89 UnlockDisplay(dpy); |
|
90 SyncHandle(); |
|
91 -- |
|
92 1.7.9.2 |
|
93 |
|
94 From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001 |
|
95 From: Alan Coopersmith <[email protected]> |
|
96 Date: Sat, 13 Apr 2013 00:03:03 -0700 |
|
97 Subject: [PATCH:libXv 2/5] integer overflow in XvQueryPortAttributes() |
|
98 [CVE-2013-1989 1/3] |
|
99 |
|
100 The num_attributes & text_size members of the reply are both CARD32s |
|
101 and need to be bounds checked before multiplying & adding them together |
|
102 to come up with the total size to allocate, to avoid integer overflow |
|
103 leading to underallocation and writing data from the network past the |
|
104 end of the allocated buffer. |
|
105 |
|
106 Reported-by: Ilja Van Sprundel <[email protected]> |
|
107 Signed-off-by: Alan Coopersmith <[email protected]> |
|
108 --- |
|
109 src/Xv.c | 10 ++++++++-- |
|
110 1 file changed, 8 insertions(+), 2 deletions(-) |
|
111 |
|
112 diff --git a/src/Xv.c b/src/Xv.c |
|
113 index 5be1d95..3cbad35 100644 |
|
114 --- a/src/Xv.c |
|
115 +++ b/src/Xv.c |
|
116 @@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) |
|
117 } |
|
118 |
|
119 if(rep.num_attributes) { |
|
120 - int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; |
|
121 + unsigned long size; |
|
122 + /* limit each part to no more than one half the max size */ |
|
123 + if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && |
|
124 + (rep.text_size < (INT_MAX / 2))) { |
|
125 + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; |
|
126 + ret = Xmalloc(size); |
|
127 + } |
|
128 |
|
129 - if((ret = Xmalloc(size))) { |
|
130 + if (ret != NULL) { |
|
131 char* marker = (char*)(&ret[rep.num_attributes]); |
|
132 xvAttributeInfo Info; |
|
133 int i; |
|
134 -- |
|
135 1.7.9.2 |
|
136 |
|
137 From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001 |
|
138 From: Alan Coopersmith <[email protected]> |
|
139 Date: Sat, 13 Apr 2013 00:16:14 -0700 |
|
140 Subject: [PATCH:libXv 3/5] buffer overflow in XvQueryPortAttributes() |
|
141 [CVE-2013-2066] |
|
142 |
|
143 Each attribute returned in the reply includes the number of bytes |
|
144 to read for its marker. We had been always trusting it, and never |
|
145 validating that it wouldn't cause us to write past the end of the |
|
146 buffer we allocated based on the reported text_size. |
|
147 |
|
148 Reported-by: Ilja Van Sprundel <[email protected]> |
|
149 Signed-off-by: Alan Coopersmith <[email protected]> |
|
150 --- |
|
151 src/Xv.c | 10 ++++++++-- |
|
152 1 file changed, 8 insertions(+), 2 deletions(-) |
|
153 |
|
154 diff --git a/src/Xv.c b/src/Xv.c |
|
155 index 3cbad35..f9813eb 100644 |
|
156 --- a/src/Xv.c |
|
157 +++ b/src/Xv.c |
|
158 @@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) |
|
159 xvAttributeInfo Info; |
|
160 int i; |
|
161 |
|
162 + /* keep track of remaining room for text strings */ |
|
163 + size = rep.text_size; |
|
164 + |
|
165 for(i = 0; i < rep.num_attributes; i++) { |
|
166 _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); |
|
167 ret[i].flags = (int)Info.flags; |
|
168 ret[i].min_value = Info.min; |
|
169 ret[i].max_value = Info.max; |
|
170 ret[i].name = marker; |
|
171 - _XRead(dpy, marker, Info.size); |
|
172 - marker += Info.size; |
|
173 + if (Info.size <= size) { |
|
174 + _XRead(dpy, marker, Info.size); |
|
175 + marker += Info.size; |
|
176 + size -= Info.size; |
|
177 + } |
|
178 (*num)++; |
|
179 } |
|
180 } else |
|
181 -- |
|
182 1.7.9.2 |
|
183 |
|
184 From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001 |
|
185 From: Alan Coopersmith <[email protected]> |
|
186 Date: Sat, 13 Apr 2013 00:03:03 -0700 |
|
187 Subject: [PATCH:libXv 4/5] integer overflow in XvListImageFormats() |
|
188 [CVE-2013-1989 2/3] |
|
189 |
|
190 num_formats is a CARD32 and needs to be bounds checked before multiplying |
|
191 by sizeof(XvImageFormatValues) to come up with the total size to allocate, |
|
192 to avoid integer overflow leading to underallocation and writing data from |
|
193 the network past the end of the allocated buffer. |
|
194 |
|
195 Reported-by: Ilja Van Sprundel <[email protected]> |
|
196 Signed-off-by: Alan Coopersmith <[email protected]> |
|
197 --- |
|
198 src/Xv.c | 5 +++-- |
|
199 1 file changed, 3 insertions(+), 2 deletions(-) |
|
200 |
|
201 diff --git a/src/Xv.c b/src/Xv.c |
|
202 index f9813eb..0a07d9d 100644 |
|
203 --- a/src/Xv.c |
|
204 +++ b/src/Xv.c |
|
205 @@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats ( |
|
206 } |
|
207 |
|
208 if(rep.num_formats) { |
|
209 - int size = (rep.num_formats * sizeof(XvImageFormatValues)); |
|
210 + if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues))) |
|
211 + ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues)); |
|
212 |
|
213 - if((ret = Xmalloc(size))) { |
|
214 + if (ret != NULL) { |
|
215 xvImageFormatInfo Info; |
|
216 int i; |
|
217 |
|
218 -- |
|
219 1.7.9.2 |
|
220 |
|
221 From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001 |
|
222 From: Alan Coopersmith <[email protected]> |
|
223 Date: Sat, 13 Apr 2013 00:03:03 -0700 |
|
224 Subject: [PATCH:libXv 5/5] integer overflow in XvCreateImage() [CVE-2013-1989 |
|
225 3/3] |
|
226 |
|
227 num_planes is a CARD32 and needs to be bounds checked before bit shifting |
|
228 and adding to sizeof(XvImage) to come up with the total size to allocate, |
|
229 to avoid integer overflow leading to underallocation and writing data from |
|
230 the network past the end of the allocated buffer. |
|
231 |
|
232 Reported-by: Ilja Van Sprundel <[email protected]> |
|
233 Signed-off-by: Alan Coopersmith <[email protected]> |
|
234 --- |
|
235 src/Xv.c | 5 ++++- |
|
236 1 file changed, 4 insertions(+), 1 deletion(-) |
|
237 |
|
238 diff --git a/src/Xv.c b/src/Xv.c |
|
239 index 0a07d9d..f268f8e 100644 |
|
240 --- a/src/Xv.c |
|
241 +++ b/src/Xv.c |
|
242 @@ -992,7 +992,10 @@ XvImage * XvCreateImage ( |
|
243 return NULL; |
|
244 } |
|
245 |
|
246 - if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { |
|
247 + if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) |
|
248 + ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); |
|
249 + |
|
250 + if (ret != NULL) { |
|
251 ret->id = id; |
|
252 ret->width = rep.width; |
|
253 ret->height = rep.height; |
|
254 -- |
|
255 1.7.9.2 |
|
256 |