libXRes: Changes to 'libXres-1.0-branch'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:40:15 PDT 2013
configure.ac | 6 ++++++
src/XRes.c | 29 +++++++++++++++++++++++++----
2 files changed, 31 insertions(+), 4 deletions(-)
New commits:
commit ad156a716a324ee60362c8ba66a5ed8c835c219b
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]
The CARD32 rep.num_types needs to be bounds checked before multiplying
by sizeof(XResType) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
The CARD32 rep.num_clients needs to be bounds checked before multiplying
by sizeof(XResClient) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 95b352b0f4a1ab1bc254e78adbc73cd65223ded4
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 10:34:22 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list