libXrandr: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:37:03 PDT 2013
configure.ac | 6 +++++
src/Xrandrint.h | 13 +++++++++++
src/XrrCrtc.c | 6 ++---
src/XrrOutput.c | 2 -
src/XrrProperty.c | 52 ++++++++++++++++++++++++++++++----------------
src/XrrProvider.c | 4 +--
src/XrrProviderProperty.c | 52 ++++++++++++++++++++++++++++++----------------
src/XrrScreen.c | 2 -
8 files changed, 94 insertions(+), 43 deletions(-)
New commits:
commit c90f74497dbcb96854346435349c6e2207b530c5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat May 4 21:47:50 2013 -0700
Make XRRGet*Property() always initialize returned values
Avoids memory corruption and other errors when callers access them
without checking to see if the calls returned an error value.
Callers are still required to check for errors, this just reduces the
damage when they don't.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 4254bf0ee4c7a8f9d03841cf0d8e16cbb201dfbd
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat May 4 21:37:49 2013 -0700
integer overflow in XRRGetProviderProperty() [CVE-2013-1986 4/4]
If the reported number of properties is too large, the calculations
to allocate memory for them may overflow, leaving us returning less
memory to the caller than implied by the value written to *nitems.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 289a1927949e6f278c18d115772e454837702e35
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat May 4 21:37:49 2013 -0700
integer overflow in XRRGetOutputProperty() [CVE-2013-1986 3/4]
If the reported number of properties is too large, the calculations
to allocate memory for them may overflow, leaving us returning less
memory to the caller than implied by the value written to *nitems.
(Same as reported against libX11 XGetWindowProperty by Ilja Van Sprundel)
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 1da5b838c2a8565d4d95a4e948f951ce6b466345
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 21:44:59 2013 -0700
integer overflow in XRRQueryProviderProperty() [CVE-2013-1986 2/4]
Same problem as XRRQueryOutputProperty() that it was cloned from
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 0e79d96c36aef5889ae2e2a3fc2e96e93f30dc21
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 21:44:59 2013 -0700
integer overflow in XRRQueryOutputProperty() [CVE-2013-1986 1/4]
rep.length is a CARD32, while rbytes was a signed int, so
rbytes = sizeof (XRRPropertyInfo) + rep.length * sizeof (long);
could result in integer overflow, leading to an undersized malloc
and reading data off the connection and writing it past the end of
the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 1c7ad6773ce6be00dcd6e51e9be08f203abe5071
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri May 3 23:29:22 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list