[Openchrome-devel] xf86-video-openchrome: 4 commits - configure.ac NEWS src/via_outputs.c src/xvmc/xf86dri.c

Xavier Bachelot xavierb at kemper.freedesktop.org
Thu May 23 08:09:31 PDT 2013


 NEWS               |    8 ++++++++
 configure.ac       |    2 +-
 src/via_outputs.c  |    2 +-
 src/xvmc/xf86dri.c |   14 +++++++++++---
 4 files changed, 21 insertions(+), 5 deletions(-)

New commits:
commit 0c17f81ad43d42958ab3871c9b5c5e9cea402256
Author: Xavier Bachelot <xavier at bachelot.org>
Date:   Wed May 22 18:58:48 2013 +0200

    Bump version to 0.3.3

diff --git a/NEWS b/NEWS
index 917aea0..eb1b8f8 100644
--- a/NEWS
+++ b/NEWS
@@ -1,3 +1,11 @@
+openchrome 0.3.3 (23/05/2013)
+-----------------------------
+
+This is a bugfix release.
+- Fix integer overflow in libchromeXvMC (CVE-2013-1994).
+- Various bug fixes and improvements.
+
+
 openchrome 0.3.2 (27/03/2013)
 -----------------------------
 
diff --git a/configure.ac b/configure.ac
index 238e3af..b13cb2c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -23,7 +23,7 @@
 # Initialize Autoconf
 AC_PREREQ(2.57)
 AC_INIT([xf86-video-openchrome],
-        [0.3.2],
+        [0.3.3],
         [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg&component=Driver/openchrome],
         [xf86-video-openchrome])
 
commit db309e3cd87a1279e8b592a692390755c528de4f
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 20:57:07 2013 -0700

    integer overflow in uniDRIGetClientDriverName() in libchromeXvMC* [CVE-2013-1994 2/2]
    
    clientDriverNameLength is a CARD32 and needs to be bounds checked before
    adding one to it to come up with the total size to allocate, to avoid
    integer overflow leading to underallocation and writing data from the
    network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c
index fba7583..c5702ec 100644
--- a/src/xvmc/xf86dri.c
+++ b/src/xvmc/xf86dri.c
@@ -314,8 +314,11 @@ uniDRIGetClientDriverName(dpy, screen, ddxDriverMajorVersion,
     *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
 
     if (rep.length) {
-	if (!(*clientDriverName =
-		(char *)Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+	if (rep.clientDriverNameLength < INT_MAX)
+	    *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+	else
+	    *clientDriverName = NULL;
+	if (*clientDriverName == NULL) {
 	    _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
 	    UnlockDisplay(dpy);
 	    SyncHandle();
commit 68bf50ce4903ec93da59cea78e063ed7c3882d3e
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 20:49:43 2013 -0700

    integer overflow in uniDRIOpenConnection() in libchromeXvMC* [CVE-2013-1994 1/2]
    
    busIdStringLength is a CARD32 and needs to be bounds checked before adding
    one to it to come up with the total size to allocate, to avoid integer
    overflow leading to underallocation and writing data from the network past
    the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c
index 1feb232..fba7583 100644
--- a/src/xvmc/xf86dri.c
+++ b/src/xvmc/xf86dri.c
@@ -42,6 +42,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include <X11/extensions/Xext.h>
 #include <X11/extensions/extutil.h>
 #include "xf86dristr.h"
+#include <limits.h>
 
 static XExtensionInfo _xf86dri_info_data;
 static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -203,7 +204,11 @@ uniDRIOpenConnection(dpy, screen, hSAREA, busIdString)
     }
 #endif
     if (rep.length) {
-	if (!(*busIdString = (char *)Xcalloc(rep.busIdStringLength + 1, 1))) {
+	if (rep.busIdStringLength < INT_MAX)
+	    *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+	else
+	    *busIdString = NULL;
+	if (*busIdString == NULL) {
 	    _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
 	    UnlockDisplay(dpy);
 	    SyncHandle();
commit 50cef9490c6a128613c5b9f3f19ef2e803088983
Author: Xavier Bachelot <xavier at bachelot.org>
Date:   Tue May 21 21:24:41 2013 +0200

    Probe TV encoder on all but the P4M900, unless we know the board has a TV encoder.
    
    Probing the TV encoder on the P4M900 chipset family when there is no such encoder is not safe. It is safe however on all other platforms.

diff --git a/src/via_outputs.c b/src/via_outputs.c
index 7e0c5e4..1271fc8 100644
--- a/src/via_outputs.c
+++ b/src/via_outputs.c
@@ -885,7 +885,7 @@ ViaOutputsDetect(ScrnInfoPtr pScrn)
      * disables the panel on P4M900
      */
     /* TV encoder */
-    if (pVia->ActiveDevice & VIA_DEVICE_TV)
+    if ((pVia->Chipset != VIA_P4M900) || (pVia->ActiveDevice & VIA_DEVICE_TV))
         via_tv_init(pScrn);
 
     if (pVia->ActiveDevice & VIA_DEVICE_DFP) {


More information about the Openchrome-devel mailing list