upstream/oracle/x-cons/x-s12-clone: comparison open-src/lib/libXv/CVE-2013-1989.patch

equal deleted inserted replaced

-:d4184aec09c6
+:74e8a5844513
+From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 00:28:34 -0700
+Subject: [PATCH:libXv 1/5] Use _XEatDataWords to avoid overflow of rep.length
+shifting
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+configure.ac |    6 ++++++
+src/Xv.c     |   22 +++++++++++++++++++---
+2 files changed, 25 insertions(+), 3 deletions(-)
+diff --git a/configure.ac b/configure.ac
+index 5494b5d..6a335db 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
+# Obtain compiler/linker options for depedencies
+PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XV_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+# Allow checking code with lint, sparse, etc.
+XORG_WITH_LINT
+XORG_LINT_LIBRARY([Xv])
+diff --git a/src/Xv.c b/src/Xv.c
+index b081e8a..5be1d95 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -49,11 +49,27 @@ SOFTWARE.
+**
+*/
++#ifdef HAVE_CONFIG_H
++# include "config.h"
++#endif
++
+#include <stdio.h>
+#include "Xvlibint.h"
+#include <X11/extensions/Xext.h>
+#include <X11/extensions/extutil.h>
+#include <X11/extensions/XShm.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+static XExtensionInfo _xv_info_data;
+static XExtensionInfo *xv_info = &_xv_info_data;
+@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+	      (*num)++;
+	  }
+} else
+-	_XEatData(dpy, rep.length << 2);
++	  _XEatDataWords(dpy, rep.length);
+}
+UnlockDisplay(dpy);
+@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
+	      (*num)++;
+	  }
+} else
+-	_XEatData(dpy, rep.length << 2);
++	  _XEatDataWords(dpy, rep.length);
+}
+UnlockDisplay(dpy);
+@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
+	_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
+	_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
+} else
+-	_XEatData(dpy, rep.length << 2);
++       _XEatDataWords(dpy, rep.length);
+UnlockDisplay(dpy);
+SyncHandle();
+--
+1.7.9.2
+From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 00:03:03 -0700
+Subject: [PATCH:libXv 2/5] integer overflow in XvQueryPortAttributes()
+[CVE-2013-1989 1/3]
+The num_attributes & text_size members of the reply are both CARD32s
+and need to be bounds checked before multiplying & adding them together
+to come up with the total size to allocate, to avoid integer overflow
+leading to underallocation and writing data from the network past the
+end of the allocated buffer.
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+src/Xv.c |   10 ++++++++--
+1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/src/Xv.c b/src/Xv.c
+index 5be1d95..3cbad35 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+}
+if(rep.num_attributes) {
+-      int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
++      unsigned long size;
++      /* limit each part to no more than one half the max size */
++      if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
++	  (rep.text_size < (INT_MAX / 2))) {
++	  size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
++	  ret = Xmalloc(size);
++      }
+-      if((ret = Xmalloc(size))) {
++      if (ret != NULL) {
+	  char* marker = (char*)(&ret[rep.num_attributes]);
+	  xvAttributeInfo Info;
+	  int i;
+--
+1.7.9.2
+From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 00:16:14 -0700
+Subject: [PATCH:libXv 3/5] buffer overflow in XvQueryPortAttributes()
+[CVE-2013-2066]
+Each attribute returned in the reply includes the number of bytes
+to read for its marker.  We had been always trusting it, and never
+validating that it wouldn't cause us to write past the end of the
+buffer we allocated based on the reported text_size.
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+src/Xv.c |   10 ++++++++--
+1 file changed, 8 insertions(+), 2 deletions(-)
+diff --git a/src/Xv.c b/src/Xv.c
+index 3cbad35..f9813eb 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
+	  xvAttributeInfo Info;
+	  int i;
++	  /* keep track of remaining room for text strings */
++	  size = rep.text_size;
++
+	  for(i = 0; i < rep.num_attributes; i++) {
+_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
+	      ret[i].flags = (int)Info.flags;
+	      ret[i].min_value = Info.min;
+	      ret[i].max_value = Info.max;
+	      ret[i].name = marker;
+-	      _XRead(dpy, marker, Info.size);
+-	      marker += Info.size;
++	      if (Info.size <= size) {
++		  _XRead(dpy, marker, Info.size);
++		  marker += Info.size;
++		  size -= Info.size;
++	      }
+	      (*num)++;
+	  }
+} else
+--
+1.7.9.2
+From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 00:03:03 -0700
+Subject: [PATCH:libXv 4/5] integer overflow in XvListImageFormats()
+[CVE-2013-1989 2/3]
+num_formats is a CARD32 and needs to be bounds checked before multiplying
+by sizeof(XvImageFormatValues) to come up with the total size to allocate,
+to avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+src/Xv.c |    5 +++--
+1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/src/Xv.c b/src/Xv.c
+index f9813eb..0a07d9d 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
+}
+if(rep.num_formats) {
+-      int size = (rep.num_formats * sizeof(XvImageFormatValues));
++      if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
++	  ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
+-      if((ret = Xmalloc(size))) {
++      if (ret != NULL) {
+	  xvImageFormatInfo Info;
+	  int i;
+--
+1.7.9.2
+From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Sat, 13 Apr 2013 00:03:03 -0700
+Subject: [PATCH:libXv 5/5] integer overflow in XvCreateImage() [CVE-2013-1989
+3/3]
+num_planes is a CARD32 and needs to be bounds checked before bit shifting
+and adding to sizeof(XvImage) to come up with the total size to allocate,
+to avoid integer overflow leading to underallocation and writing data from
+the network past the end of the allocated buffer.
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+---
+src/Xv.c |    5 ++++-
+1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/src/Xv.c b/src/Xv.c
+index 0a07d9d..f268f8e 100644
+--- a/src/Xv.c
++++ b/src/Xv.c
+@@ -992,7 +992,10 @@ XvImage * XvCreateImage (
+return NULL;
+}
+-   if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) {
++   if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage)))
++       ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3));
++
++   if (ret != NULL) {
+	ret->id = id;
+	ret->width = rep.width;
+	ret->height = rep.height;
+--
+1.7.9.2