libXRes: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Thu May 23 08:40:15 PDT 2013
configure.ac | 6 ++++++
src/XRes.c | 30 ++++++++++++++++++++++++++----
2 files changed, 32 insertions(+), 4 deletions(-)
New commits:
commit f468184963e53feda848853c4aefd0197b2cc116
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]
The CARD32 rep.num_types needs to be bounds checked before multiplying
by sizeof(XResType) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit b053d215b80e721f9afdc5794e4f3f4f2aee0141
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
The CARD32 rep.num_clients needs to be bounds checked before multiplying
by sizeof(XResClient) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 69457711050ac3a53859ef11790a7ac815cd7d94
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Sat Apr 13 10:34:22 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
More information about the xorg-commit
mailing list