From 68e8645dcd1ce619af6d92f3645c43b15bc5ac71 Mon Sep 17 00:00:00 2001 From: root Date: Wed, 3 Jul 2013 00:48:29 -0700 Subject: Wed Jul 3 00:48:29 PDT 2013 --- extra/mesa/CVE-2013-1993.patch | 82 ------------------------------------------ 1 file changed, 82 deletions(-) delete mode 100644 extra/mesa/CVE-2013-1993.patch (limited to 'extra/mesa/CVE-2013-1993.patch') diff --git a/extra/mesa/CVE-2013-1993.patch b/extra/mesa/CVE-2013-1993.patch deleted file mode 100644 index 00f723d35..000000000 --- a/extra/mesa/CVE-2013-1993.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 26 Apr 2013 23:31:58 +0000 -Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2] - -busIdStringLength is a CARD32 and needs to be bounds checked before adding -one to it to come up with the total size to allocate, to avoid integer -overflow leading to underallocation and writing data from the network past -the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Brian Paul -(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index b1cdc9b..8f53bd7 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - #include - #include - #include "xf86dristr.h" -+#include - - static XExtensionInfo _xf86dri_info_data; - static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; -@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA, - } - - if (rep.length) { -- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) { -+ if (rep.busIdStringLength < INT_MAX) -+ *busIdString = calloc(rep.busIdStringLength + 1, 1); -+ else -+ *busIdString = NULL; -+ if (*busIdString == NULL) { - _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe -From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith -Date: Fri, 26 Apr 2013 23:33:03 +0000 -Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2] - -clientDriverNameLength is a CARD32 and needs to be bounds checked before -adding one to it to come up with the total size to allocate, to avoid -integer overflow leading to underallocation and writing data from the -network past the end of the allocated buffer. - -NOTE: This is a candidate for stable release branches. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Alan Coopersmith -Reviewed-by: Brian Paul -(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe) ---- -diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c -index 8f53bd7..56e3557 100644 ---- a/src/glx/XF86dri.c -+++ b/src/glx/XF86dri.c -@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen, - *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; - - if (rep.length) { -- if (! -- (*clientDriverName = -- calloc(rep.clientDriverNameLength + 1, 1))) { -+ if (rep.clientDriverNameLength < INT_MAX) -+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1); -+ else -+ *clientDriverName = NULL; -+ if (*clientDriverName == NULL) { - _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe -- cgit v1.2.3-54-g00ecf