libXv: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:37:53 PDT 2013
configure.ac | 6 ++++++
src/Xv.c | 52 ++++++++++++++++++++++++++++++++++++++++++----------
2 files changed, 48 insertions(+), 10 deletions(-)
New commits:
commit 50fc4cb18069cb9450a02c13f80223ef23511409
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
num_planes is a CARD32 and needs to be bounds checked before bit shifting
and adding to sizeof(XvImage) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 59301c1b5095f7dc6359d5b396dbbcdee7038270
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 15ab7dec17d686c38f2c82ac23a17cac5622322a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:16:14 2013 -0700
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 6e1b743a276651195be3cd68dff41e38426bf3ab
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 79362c764a6df7e7fbe5247756bdbf60f3a58baf
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:28:34 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list