libXext: Changes to 'master'

Alan Coopersmith alanc at kemper.freedesktop.org
Thu May 23 08:34:27 PDT 2013 

 COPYING         |    3 ++-
 configure.ac    |    6 ++++++
 src/Makefile.am |    1 +
 src/XEVI.c      |   29 +++++++++++++++++++++--------
 src/XMultibuf.c |    3 ++-
 src/XSecurity.c |    3 ++-
 src/XShape.c    |   27 ++++++++++++++++-----------
 src/XSync.c     |   35 +++++++++++++++++++++++++++--------
 src/Xcup.c      |   49 ++++++++++++++++++++++++++-----------------------
 src/Xdbe.c      |   27 +++++++++++++++++----------
 src/eat.h       |   40 ++++++++++++++++++++++++++++++++++++++++
 11 files changed, 160 insertions(+), 63 deletions(-)

New commits:
commit dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 14:40:33 2013 -0800

    integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6]
    
    If the number of counters or amount of data reported by the server is
    large enough that it overflows when multiplied by the size of the
    appropriate struct, then memory corruption can occur when more bytes
    are read from the X server than the size of the buffers we allocated
    to hold them.
    
    V2: Make sure we don't walk past the end of the reply when converting
    data from wire format to the structures returned to the caller.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 14:40:33 2013 -0800

    integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6]
    
    If the number of rectangles reported by the server is large enough that
    it overflows when multiplied by the size of the appropriate struct, then
    memory corruption can occur when more bytes are read from the X server
    than the size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 67ecdcf7e29de9fa78b421122620525ed2c7db88
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 14:40:33 2013 -0800

    integer overflow in XeviGetVisualInfo() [CVE-2013-1982 4/6]
    
    If the number of visuals or conflicts reported by the server is large
    enough that it overflows when multiplied by the size of the appropriate
    struct, then memory corruption can occur when more bytes are read from
    the X server than the size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 14:40:33 2013 -0800

    several integer overflows in XdbeGetVisualInfo() [CVE-2013-1982 3/6]
    
    If the number of screens or visuals reported by the server is large enough
    that it overflows when multiplied by the size of the appropriate struct,
    then memory corruption can occur when more bytes are read from the X server
    than the size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 082d70b19848059ba78c9d1c315114fb07e8c0ef
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 14:40:33 2013 -0800

    integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]
    
    If the computed number of entries is large enough that it overflows when
    multiplied by the size of a xColorItem struct, or is treated as negative
    when compared to the size of the stack allocated buffer, then memory
    corruption can occur when more bytes are read from the X server than the
    size of the buffer we allocated to hold them.
    
    The requirement to match the number of colors specified by the caller makes
    this much harder to hit than the one in XcupGetReservedColormapEntries()
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit d05f27a6f74cb419ad5a437f2e4690b17e7faee5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Mar 9 14:40:33 2013 -0800

    integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6]
    
    If the computed number of entries is large enough that it overflows when
    multiplied by the size of a xColorItem struct, or is treated as negative
    when compared to the size of the stack allocated buffer, then memory
    corruption can occur when more bytes are read from the X server than the
    size of the buffer we allocated to hold them.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit ca84a813716f9de691dc3f60390d83af4b5ae534
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 09:32:12 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

More information about the xorg-commit mailing list