[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

X Strike Force SVN commit: rev 593 - in branches/4.3.0/sid/debian: . patches

Author: branden
Date: 2003-09-27 03:28:04 -0500 (Sat, 27 Sep 2003)
New Revision: 593

Modified:
   branches/4.3.0/sid/debian/changelog
   branches/4.3.0/sid/debian/patches/000_post430.diff
Log:
SECURITY: Fix overflows in the test for integer overflows. Reported by
Paul Anderson.

- debian/patches/000_post430.diff


Modified: branches/4.3.0/sid/debian/changelog
===================================================================
--- branches/4.3.0/sid/debian/changelog	2003-09-27 07:42:15 UTC (rev 592)
+++ branches/4.3.0/sid/debian/changelog	2003-09-27 08:28:04 UTC (rev 593)
@@ -1,4 +1,4 @@
-xfree86 (4.3.0-0pre1v3) experimental; urgency=low
+xfree86 (4.3.0-0pre1v3) experimental; urgency=high
 
   * Update pam_setcred() security fix to xdm to use pam_error and
     pam_strerror().
@@ -12,8 +12,12 @@
     - debian/rules: stop constructing package
     - debian/xlibmesa-drm-src.install: deleted
 
- -- Branden Robinson <branden@debian.org>  Tue, 23 Sep 2003 15:00:38 -0500
+  * SECURITY: Fix overflows in the test for integer overflows. Reported by
+    Paul Anderson.
+    - debian/patches/000_post430.diff
 
+ -- Branden Robinson <branden@debian.org>  Sat, 27 Sep 2003 03:26:49 -0500
+
 xfree86 (4.3.0-0pre1v2) experimental; urgency=low
 
   * debian/patches/911_debian_XF86Config_to_XF86Config-4.diff: merge this

Modified: branches/4.3.0/sid/debian/patches/000_post430.diff
===================================================================
--- branches/4.3.0/sid/debian/patches/000_post430.diff	2003-09-27 07:42:15 UTC (rev 592)
+++ branches/4.3.0/sid/debian/patches/000_post430.diff	2003-09-27 08:28:04 UTC (rev 593)
@@ -241,6 +241,9 @@
         (Alan Coopersmith, Marc La France, Oswald Buddenhagen, Matthieu Herrb,
         Nicolas JOLY, Jason L. Wright, Joel Ray Holveck).
 
+(xc/lib/FS/{FSFtNames.c,FSGetCats.c,FSListCats.c,FSListExt.c}):
+  Fix overflows in the test for integer overflows. Reported by Paul Anderson.
+
 Index: xc/config/cf/NetBSD.cf
 ===================================================================
 RCS file: /cvs/xc/config/cf/NetBSD.cf,v
@@ -673,17 +676,17 @@
 ===================================================================
 RCS file: /cvs/xc/lib/FS/FSFtNames.c,v
 retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
 --- xc/lib/FS/FSFtNames.c	14 Dec 2001 19:53:32 -0000	1.2
-+++ xc/lib/FS/FSFtNames.c	1 Sep 2003 21:05:35 -0000	1.2.4.2
++++ xc/lib/FS/FSFtNames.c	25 Sep 2003 20:58:39 -0000	1.2.4.3
 @@ -78,7 +78,8 @@
  	  (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
  	return (char **) 0;
  
 -    if (rep.nFonts) {
 +    if (rep.nFonts && rep.nFonts <= SIZE_MAX / sizeof(char *)
-+	&& rep.length <= ((SIZE_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
++	&& rep.length <= (SIZE_MAX >> 2)) {
  	flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
  	rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
  	c = (char *) FSmalloc((unsigned) (rlen + 1));
@@ -691,17 +694,17 @@
 ===================================================================
 RCS file: /cvs/xc/lib/FS/FSGetCats.c,v
 retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
 --- xc/lib/FS/FSGetCats.c	14 Dec 2001 19:53:32 -0000	1.2
-+++ xc/lib/FS/FSGetCats.c	1 Sep 2003 21:05:35 -0000	1.2.4.2
++++ xc/lib/FS/FSGetCats.c	25 Sep 2003 20:58:39 -0000	1.2.4.3
 @@ -72,9 +72,10 @@
  	SyncHandle();
  	return (char **) NULL;
      }
 -    if (rep.num_catalogues) {
 +    if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
-+	&& rep.length <= ((SIZE_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
++	&& rep.length <= (SIZE_MAX >> 2)) {
  	list = (char **)
 -	    FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
 +	       FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
@@ -712,17 +715,17 @@
 ===================================================================
 RCS file: /cvs/xc/lib/FS/FSListCats.c,v
 retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
 --- xc/lib/FS/FSListCats.c	14 Dec 2001 19:53:32 -0000	1.2
-+++ xc/lib/FS/FSListCats.c	1 Sep 2003 21:05:36 -0000	1.2.4.2
++++ xc/lib/FS/FSListCats.c	25 Sep 2003 20:58:39 -0000	1.2.4.3
 @@ -78,7 +78,8 @@
      (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
  	return (char **) 0;
  
 -    if (rep.num_catalogues) {
 +    if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
-+	&& rep.length <= ((SIZE_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
++	&& rep.length <= (SIZE_MAX>>2)) {
  	clist = (char **)
  	    FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
  	rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
@@ -730,17 +733,17 @@
 ===================================================================
 RCS file: /cvs/xc/lib/FS/FSListExt.c,v
 retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
 --- xc/lib/FS/FSListExt.c	14 Dec 2001 19:53:32 -0000	1.2
-+++ xc/lib/FS/FSListExt.c	1 Sep 2003 21:05:36 -0000	1.2.4.2
++++ xc/lib/FS/FSListExt.c	25 Sep 2003 20:58:39 -0000	1.2.4.3
 @@ -72,7 +72,8 @@
  	SyncHandle();
  	return (char **) NULL;
      }
 -    if (rep.nExtensions) {
 +    if (rep.nExtensions && rep.nExtensions <= SIZE_MAX / sizeof(char *)
-+	&& rep.length <= ((SIZE_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
++	&& rep.length <= (SIZE_MAX>>2)) {
  	list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
  	rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
  	c = (char *) FSmalloc((unsigned) rlen + 1);
Reply to: