1345N/AFrom a886e8bcfe8ec9d1843bcb85fdb76176dc0f2a0c Mon Sep 17 00:00:00 2001
1345N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/ADate: Sat, 13 Apr 2013 20:49:43 -0700
1345N/ASubject: [PATCH:xf86-video-openchrome 1/2] integer overflow in
1345N/A libchromeXvMC* [CVE-2013-1994
1345N/AbusIdStringLength is a CARD32 and needs to be bounds checked before adding
1345N/Aone to it to come up with the total size to allocate, to avoid integer
1345N/Aoverflow leading to underallocation and writing data from the network past
1345N/Athe end of the allocated buffer.
1345N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1345N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/A 1 file changed, 6 insertions(+), 1 deletion(-)
1345N/A@@ -42,6 +42,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
1345N/A static XExtensionInfo _xf86dri_info_data;
1345N/A static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
1345N/A@@ -203,7 +204,11 @@ uniDRIOpenConnection(dpy, screen, hSAREA, busIdString)
1345N/A+ if (*busIdString == NULL) {
1345N/AFrom 70fdbc0eeb99273d282c62d45f29b5f044bec08e Mon Sep 17 00:00:00 2001
1345N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/ADate: Sat, 13 Apr 2013 20:57:07 -0700
1345N/ASubject: [PATCH:xf86-video-openchrome 2/2] integer overflow in
1345N/A uniDRIGetClientDriverName() in
1345N/A libchromeXvMC* [CVE-2013-1994
1345N/AclientDriverNameLength is a CARD32 and needs to be bounds checked before
1345N/Aadding one to it to come up with the total size to allocate, to avoid
1345N/Ainteger overflow leading to underallocation and writing data from the
1345N/Anetwork past the end of the allocated buffer.
1345N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1345N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/A 1 file changed, 5 insertions(+), 2 deletions(-)
1345N/A@@ -314,8 +314,11 @@ uniDRIGetClientDriverName(dpy, screen, ddxDriverMajorVersion,
1345N/A+ if (*clientDriverName == NULL) {