libXxf86dga: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:38:25 PDT 2013
configure.ac | 6 ++++
src/XF86DGA2.c | 83 +++++++++++++++++++++++++++++++++++++++++++--------------
2 files changed, 69 insertions(+), 20 deletions(-)
New commits:
commit a8dc6be3213bc91dec5e25535ef4bad5a9456af0
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 12:53:49 2013 -0700
integer overflow in XDGAOpenFramebuffer()
rep.length is a CARD32 and should be bounds checked before left shifting
to come up with the size to allocate and read from the network, though
since both functions take the same size, there should be no way for the
buffer to be overflowed in this case.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit b69d6d51a82b1d1e8c68a233360acb742c879375
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 12:45:41 2013 -0700
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit f89cf306a60facdf102696840bc05acebd7d1772
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 12:38:25 2013 -0700
integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]
rep.length is a CARD32 and needs to be bounds checked before bit shifting
and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
to avoid integer overflow or underflow leading to underallocation and
writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 5dcfa6a8cf2df39828da733e5945e730518c27b3
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 12:27:10 2013 -0700
buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
When reading the name strings for the modes off the network, we never
checked to make sure the length of the individual name strings didn't
overflow the size of the buffer we'd allocated based on the reported
rep.length for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit f4a8dd63af518640468d82948f450aad4b2b1e6a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 12:18:57 2013 -0700
integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
number is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XDGAmode) to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 6fa471be7a005bde97bcb5ca5a17662ea8d32587
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 12:05:25 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list