libXext: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:34:27 PDT 2013
COPYING | 3 ++-
configure.ac | 6 ++++++
src/Makefile.am | 1 +
src/XEVI.c | 29 +++++++++++++++++++++--------
src/XMultibuf.c | 3 ++-
src/XSecurity.c | 3 ++-
src/XShape.c | 27 ++++++++++++++++-----------
src/XSync.c | 35 +++++++++++++++++++++++++++--------
src/Xcup.c | 49 ++++++++++++++++++++++++++-----------------------
src/Xdbe.c | 27 +++++++++++++++++----------
src/eat.h | 40 ++++++++++++++++++++++++++++++++++++++++
11 files changed, 160 insertions(+), 63 deletions(-)
New commits:
commit dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6]
If the number of counters or amount of data reported by the server is
large enough that it overflows when multiplied by the size of the
appropriate struct, then memory corruption can occur when more bytes
are read from the X server than the size of the buffers we allocated
to hold them.
V2: Make sure we don't walk past the end of the reply when converting
data from wire format to the structures returned to the caller.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6]
If the number of rectangles reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are read from the X server
than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 67ecdcf7e29de9fa78b421122620525ed2c7db88
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XeviGetVisualInfo() [CVE-2013-1982 4/6]
If the number of visuals or conflicts reported by the server is large
enough that it overflows when multiplied by the size of the appropriate
struct, then memory corruption can occur when more bytes are read from
the X server than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
several integer overflows in XdbeGetVisualInfo() [CVE-2013-1982 3/6]
If the number of screens or visuals reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are read from the X server
than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 082d70b19848059ba78c9d1c315114fb07e8c0ef
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]
If the computed number of entries is large enough that it overflows when
multiplied by the size of a xColorItem struct, or is treated as negative
when compared to the size of the stack allocated buffer, then memory
corruption can occur when more bytes are read from the X server than the
size of the buffer we allocated to hold them.
The requirement to match the number of colors specified by the caller makes
this much harder to hit than the one in XcupGetReservedColormapEntries()
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit d05f27a6f74cb419ad5a437f2e4690b17e7faee5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6]
If the computed number of entries is large enough that it overflows when
multiplied by the size of a xColorItem struct, or is treated as negative
when compared to the size of the stack allocated buffer, then memory
corruption can occur when more bytes are read from the X server than the
size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit ca84a813716f9de691dc3f60390d83af4b5ae534
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 09:32:12 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list