libXp: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:36:14 PDT 2013
configure.ac | 6 ++++++
src/XpAttr.c | 36 +++++++++++++++++++-----------------
src/XpExtUtil.h | 14 ++++++++++++++
src/XpPrinter.c | 43 +++++++++++++++++++++++--------------------
src/XpScreens.c | 16 ++++++++--------
5 files changed, 70 insertions(+), 45 deletions(-)
New commits:
commit e111065f6dd790c820fa67ea31055b18c68481e3
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 26 23:59:25 2013 -0700
integer overflows in XpQueryScreens() [CVE-2013-2062 3/3]
listCount is a CARD32 that needs to be bounds checked before it is
multiplied by the size of the pointers to allocate, to avoid integer
overflow leading to underallocation and writing data from the network
past the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit cc90f6be64bfd6973ae270b9bff494f577e1bda7
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 26 23:59:25 2013 -0700
integer overflows in XpGetPrinterList() [CVE-2013-2062 2/3]
listCount is a CARD32 that needs to be bounds checked before it is
multiplied by the size of the structs to allocate, and the string
lengths are CARD32s and need to be bounds checked before adding one
to them to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network
past the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit babb1fc823ab3be192c48fe115feeb0d57f74d05
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 26 23:59:25 2013 -0700
integer overflow in XpGetAttributes & XpGetOneAttribute [CVE-2013-2062 1/3]
stringLen & valueLen are CARD32s and need to be bounds checked before adding
one to them to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 15ec6d1d0bb8c4cb24a190ed34e63312a0623670
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri May 3 22:30:36 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list