CVE-2013-1994.patch revision 1351
From a886e8bcfe8ec9d1843bcb85fdb76176dc0f2a0c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 20:49:43 -0700
Subject: [PATCH:xf86-video-openchrome 1/2] integer overflow in
uniDRIOpenConnection() in
libchromeXvMC* [CVE-2013-1994
1/2]
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/xvmc/xf86dri.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c
index 1feb232..fba7583 100644
--- a/src/xvmc/xf86dri.c
+++ b/src/xvmc/xf86dri.c
@@ -42,6 +42,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -203,7 +204,11 @@ uniDRIOpenConnection(dpy, screen, hSAREA, busIdString)
}
#endif
if (rep.length) {
- if (!(*busIdString = (char *)Xcalloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
--
1.7.9.2
From 70fdbc0eeb99273d282c62d45f29b5f044bec08e Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 20:57:07 -0700
Subject: [PATCH:xf86-video-openchrome 2/2] integer overflow in
uniDRIGetClientDriverName() in
libchromeXvMC* [CVE-2013-1994
2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/xvmc/xf86dri.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c
index fba7583..c5702ec 100644
--- a/src/xvmc/xf86dri.c
+++ b/src/xvmc/xf86dri.c
@@ -314,8 +314,11 @@ uniDRIGetClientDriverName(dpy, screen, ddxDriverMajorVersion,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!(*clientDriverName =
- (char *)Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
--
1.7.9.2