libXvMC: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:38:07 PDT 2013
configure.ac | 6 ++++
src/XvMC.c | 77 ++++++++++++++++++++++++++++++++++++-----------------------
2 files changed, 53 insertions(+), 30 deletions(-)
New commits:
commit e9415ddef2ac81d4139bd32d5e9cda9394a60051
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 01:20:08 2013 -0700
Multiple unvalidated assumptions in XvMCGetDRInfo() [CVE-2013-1999]
The individual string sizes is assumed to not be more than the amount of
data read from the network, and could cause buffer overflow if they are.
The strings returned from the X server are assumed to be null terminated,
and could cause callers to read past the end of the buffer if they are not.
Also be sure to set the returned pointers to NULL, so callers don't try
accessing bad pointers on failure cases.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 5fd871e5f878810f8f8837725d548e07e89577ab
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in _xvmc_create_*()
rep.length is a CARD32 and should be bounds checked before left-shifting
by 2 bits to come up with the total size to allocate, though in these
cases, no buffer overflow should occur here, since the XRead call is passed
the same rep.length << 2 length argument, but the *priv_count returned to
the caller could be interpreted or used to calculate a larger buffer size
than was actually allocated, leading them to go out of bounds.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 478d4e5873eeee2ebdce6673e4e3469816ab63b8
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in XvMCListSubpictureTypes() [CVE-2013-1990 2/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 2712383813b26475dc6713888414d842be57f8ca
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 1/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 00:47:57 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list