1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
|
From 80ac3b279e776b3d9f45a209e52c5bd34ba7e7df Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 26 Apr 2013 23:31:58 +0000
Subject: integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
NOTE: This is a candidate for stable release branches.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
(cherry picked from commit 2e5a268f18be30df15aed0b44b01a18a37fb5df4)
---
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index b1cdc9b..8f53bd7 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
}
if (rep.length) {
- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = calloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
--
cgit v0.9.0.2-2-gbebe
From 6de60ddf9ccac6f185d8f4e88ddfc63a94bd670f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 26 Apr 2013 23:33:03 +0000
Subject: integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
NOTE: This is a candidate for stable release branches.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Brian Paul <brianp@vmware.com>
(cherry picked from commit 306f630e676eb901789dd09a0f30d7e7fa941ebe)
---
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 8f53bd7..56e3557 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- calloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
--
cgit v0.9.0.2-2-gbebe
|
