diff options
| author | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2013-05-23 22:42:16 +0000 |
|---|---|---|
| committer | Matthieu Herrb <matthieu@cvs.openbsd.org> | 2013-05-23 22:42:16 +0000 |
| commit | 07bbac7e9578f69cff30a142ddc328e73150e927 (patch) | |
| tree | 5969cd791a8db0ac08a76c652f7692e8f6ee50fc /lib/libXext/src/Xdbe.c | |
| parent | 428eabf70e7336aacef2ce4a15926d6a63478b2c (diff) | |
Merge upstream fixes for several X libs vulnerabilities
discovered by Ilja van Sprundel.
CVE-2013-1981 X.org libX11 1.5.99.901 (1.6 RC1) integer overflows
CVE-2013-1982 X.org libXext 1.3.1 integer overflows
CVE-2013-1983 X.org libXfixes 5.0 integer overflows
CVE-2013-1984 X.org libXi 1.7.1 integer overflows
CVE-2013-1985 X.org libXinerama 1.1.2 integer overflows
CVE-2013-1986 X.org libXrandr 1.4.0 integer overflows
CVE-2013-1987 X.org libXrender 0.9.7 integer overflows
CVE-2013-1988 X.org libXRes 1.0.6 integer overflows
CVE-2013-1989 X.org libXv 1.0.7 integer overflows
CVE-2013-1990 X.org libXvMC 1.0.7 integer overflows
CVE-2013-1991 X.org libXxf86dga 1.1.3 integer overflows
CVE-2013-1992 X.org libdmx 1.1.2 integer overflows
CVE-2013-1994 X.org libchromeXvMC & libchromeXvMCPro in openChrome
0.3.2 integer overflows
CVE-2013-1995 X.org libXi 1.7.1 sign extension issues
CVE-2013-1996 X.org libFS 1.0.4 sign extension issues
CVE-2013-1997 X.org libX11 1.5.99.901 (1.6 RC1) buffer overflows
CVE-2013-1998 X.org libXi 1.7.1 buffer overflows
CVE-2013-1999 X.org libXvMC 1.0.7 buffer overflows
CVE-2013-2000 X.org libXxf86dga 1.1.3 buffer overflows
CVE-2013-2001 X.org libXxf86vm 1.1.2 buffer overflows
CVE-2013-2002 X.org libXt 1.1.3 buffer overflows
CVE-2013-2003 X.org libXcursor 1.1.13 integer overflows
CVE-2013-2004 X.org libX11 1.5.99.901 (1.6 RC1) unbounded recursion
CVE-2013-2005 X.org libXt 1.1.3 memory corruption
CVE-2013-2066 X.org libXv 1.0.7 buffer overflows
Diffstat (limited to 'lib/libXext/src/Xdbe.c')
| -rw-r--r-- | lib/libXext/src/Xdbe.c | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/lib/libXext/src/Xdbe.c b/lib/libXext/src/Xdbe.c index 4b5fa186c..016886c58 100644 --- a/lib/libXext/src/Xdbe.c +++ b/lib/libXext/src/Xdbe.c @@ -39,6 +39,8 @@ #include <X11/extensions/extutil.h> #include <X11/extensions/Xdbe.h> #include <X11/extensions/dbeproto.h> +#include <limits.h> +#include "eat.h" static XExtensionInfo _dbe_info_data; static XExtensionInfo *dbe_info = &_dbe_info_data; @@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo ( *num_screens = rep.m; /* allocate list of visual information to be returned */ - if (!(scrVisInfo = - (XdbeScreenVisualInfo *)Xmalloc( - (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) { + if ((*num_screens > 0) && (*num_screens < 65536)) + scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo)); + else + scrVisInfo = NULL; + if (scrVisInfo == NULL) { + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; @@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo ( for (i = 0; i < *num_screens; i++) { - int nbytes; int j; - long c; + unsigned long c; - _XRead32 (dpy, &c, sizeof(CARD32)); - scrVisInfo[i].count = c; + _XRead32 (dpy, (long *) &c, sizeof(CARD32)); - nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo); + if (c < 65536) { + scrVisInfo[i].count = c; + scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo)); + } else + scrVisInfo[i].visinfo = NULL; /* if we can not allocate the list of visual/depth info * then free the lists that we already allocate as well * as the visual info list itself */ - if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc( - (unsigned)nbytes))) { + if (scrVisInfo[i].visinfo == NULL) { for (j = 0; j < i; j++) { Xfree ((char *)scrVisInfo[j].visinfo); } Xfree ((char *)scrVisInfo); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return NULL; |