libXrender: Changes to 'master'

Alan Coopersmith alanc at kemper.freedesktop.org
Thu May 23 08:37:15 PDT 2013 

 configure.ac     |    6 ++++
 src/Filter.c     |   41 ++++++++++++++++++++------------
 src/Xrender.c    |   69 +++++++++++++++++++++++++++++++++++--------------------
 src/Xrenderint.h |   14 +++++++++++
 4 files changed, 90 insertions(+), 40 deletions(-)

New commits:
commit 786f78fd8df6d165ccbc81f306fd9f22b5c1551c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Apr 12 23:02:11 2013 -0700

    integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
    
    The length and numIndexValues members of the reply are both CARD32 and
    need to be bounds checked before multiplying by sizeof (XIndexValue) to
    avoid integer overflow leading to underallocation and writing data from
    the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 9e577d40322b9e3d8bdefec0eefa44d8ead451a4
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Apr 12 23:02:11 2013 -0700

    integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
    
    The length, numFormats, numScreens, numDepths, and numVisuals members of
    the reply are all CARD32 and need to be bounds checked before multiplying
    and adding them together to come up with the total size to allocate, to
    avoid integer overflow leading to underallocation and writing data from
    the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit e52853974664289fe42a92909667ed77cfa1cec5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Apr 12 22:45:20 2013 -0700

    integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
    
    The length, numFilters & numAliases members of the reply are all CARD32
    and need to be bounds checked before multiplying & adding them together
    to come up with the total size to allocate, to avoid integer overflow
    leading to underallocation and writing data from the network past the
    end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 73e77eb21d649edc1ce1746739f9358e337b2935
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri May 3 22:48:11 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length bit shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

More information about the xorg-commit mailing list