libdmx: Changes to 'master'

Alan Coopersmith alanc at kemper.freedesktop.org
Thu May 23 08:32:49 PDT 2013 

 configure.ac |    7 ++++
 src/dmx.c    |   84 +++++++++++++++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 81 insertions(+), 10 deletions(-)

New commits:
commit 5074d9d64192bd04519a438062b7d5bf216d06ee
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetInputAttributes() [CVE-2013-1992 3/3]
    
    If the server provided nameLength causes integer overflow
    when padding length is added, a smaller buffer would be allocated
    than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit b6fe1a7af34ea620e002fc453f9c5eacf7db3969
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetWindowAttributes() [CVE-2013-1992 2/3]
    
    If the server provided screenCount causes integer overflow when
    multiplied by the size of each array element, a smaller buffer
    would be allocated than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 78e11efe70d00063c830475eaaaa42f19380755d
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 13:48:28 2013 -0800

    integer overflow in DMXGetScreenAttributes() [CVE-2013-1992 1/3]
    
    If the server provided displayNameLength causes integer overflow
    when padding length is added, a smaller buffer would be allocated
    than the amount of data written to it.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit f34f6f64698c3b957aadba7315bb13726e3d79b0
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri May 3 23:10:47 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

More information about the xorg-commit mailing list