libXv: Changes to 'master'

Alan Coopersmith alanc at kemper.freedesktop.org
Thu May 23 08:37:53 PDT 2013 

 configure.ac |    6 ++++++
 src/Xv.c     |   52 ++++++++++++++++++++++++++++++++++++++++++----------
 2 files changed, 48 insertions(+), 10 deletions(-)

New commits:
commit 50fc4cb18069cb9450a02c13f80223ef23511409
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 00:03:03 2013 -0700

    integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
    
    num_planes is a CARD32 and needs to be bounds checked before bit shifting
    and adding to sizeof(XvImage) to come up with the total size to allocate,
    to avoid integer overflow leading to underallocation and writing data from
    the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 59301c1b5095f7dc6359d5b396dbbcdee7038270
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 00:03:03 2013 -0700

    integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
    
    num_formats is a CARD32 and needs to be bounds checked before multiplying
    by sizeof(XvImageFormatValues) to come up with the total size to allocate,
    to avoid integer overflow leading to underallocation and writing data from
    the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 15ab7dec17d686c38f2c82ac23a17cac5622322a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 00:16:14 2013 -0700

    buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
    
    Each attribute returned in the reply includes the number of bytes
    to read for its marker.  We had been always trusting it, and never
    validating that it wouldn't cause us to write past the end of the
    buffer we allocated based on the reported text_size.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 6e1b743a276651195be3cd68dff41e38426bf3ab
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 00:03:03 2013 -0700

    integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
    
    The num_attributes & text_size members of the reply are both CARD32s
    and need to be bounds checked before multiplying & adding them together
    to come up with the total size to allocate, to avoid integer overflow
    leading to underallocation and writing data from the network past the
    end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 79362c764a6df7e7fbe5247756bdbf60f3a58baf
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Sat Apr 13 00:28:34 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

More information about the xorg-commit mailing list