libXrender: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:37:15 PDT 2013
configure.ac | 6 ++++
src/Filter.c | 41 ++++++++++++++++++++------------
src/Xrender.c | 69 +++++++++++++++++++++++++++++++++++--------------------
src/Xrenderint.h | 14 +++++++++++
4 files changed, 90 insertions(+), 40 deletions(-)
New commits:
commit 786f78fd8df6d165ccbc81f306fd9f22b5c1551c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 9e577d40322b9e3d8bdefec0eefa44d8ead451a4
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit e52853974664289fe42a92909667ed77cfa1cec5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 22:45:20 2013 -0700
integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
The length, numFilters & numAliases members of the reply are all CARD32
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 73e77eb21d649edc1ce1746739f9358e337b2935
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri May 3 22:48:11 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list