1345N/AFrom e13eef2d952fdc082f76f66bebe6cee08c5144ab Mon Sep 17 00:00:00 2001
1345N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/ADate: Fri, 26 Apr 2013 16:31:58 -0700
1345N/ASubject: [PATCH:mesa 1/2] integer overflow in XF86DRIOpenConnection()
1345N/AbusIdStringLength is a CARD32 and needs to be bounds checked before adding
1345N/Aone to it to come up with the total size to allocate, to avoid integer
1345N/Aoverflow leading to underallocation and writing data from the network past
1345N/Athe end of the allocated buffer.
1345N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1345N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/A 1 file changed, 6 insertions(+), 1 deletion(-)
1345N/Aindex b1cdc9b..8f53bd7 100644
1345N/A@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
1345N/A static XExtensionInfo _xf86dri_info_data;
1345N/A static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
1345N/A@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
1345N/A+ if (*busIdString == NULL) {
1345N/AFrom 166bdb02bbbe73c11bc4b96a29f277695f4ae495 Mon Sep 17 00:00:00 2001
1345N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/ADate: Fri, 26 Apr 2013 16:33:03 -0700
1345N/ASubject: [PATCH:mesa 2/2] integer overflow in XF86DRIGetClientDriverName()
1345N/AclientDriverNameLength is a CARD32 and needs to be bounds checked before
1345N/Aadding one to it to come up with the total size to allocate, to avoid
1345N/Ainteger overflow leading to underallocation and writing data from the
1345N/Anetwork past the end of the allocated buffer.
1345N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1345N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1345N/A 1 file changed, 5 insertions(+), 3 deletions(-)
1345N/Aindex 8f53bd7..56e3557 100644
1345N/A@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
1345N/A+ if (*clientDriverName == NULL) {