mesa: Changes to 'debian-unstable'
debian/changelog | 6 ++++++
src/glx/XF86dri.c | 15 +++++++++++----
2 files changed, 17 insertions(+), 4 deletions(-)
New commits:
commit efb55da89fe36fda5e507fbfd9a53442bfaa00b1
Author: Julien Cristau <jcristau@debian.org>
Date: Thu May 23 10:50:28 2013 +0200
Upload to sid
diff --git a/debian/changelog b/debian/changelog
index 8b9461c..ed6f909 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+mesa (8.0.5-6) sid; urgency=high
+
+ * integer overflows calculating memory needs for replies [CVE-2013-1993]
+
+ -- Julien Cristau <jcristau@debian.org> Thu, 23 May 2013 10:50:24 +0200
+
mesa (8.0.5-5) sid; urgency=low
* Reupload with no source changes to restore multiarch installability
commit fa3c521d66ec1b767f231b79fbd5dd9f13a244cf
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 26 16:33:03 2013 -0700
integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 24facfe..a6d3a40 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
commit 7eae38c8c7f3a0ef10acecfac8c2a4d9e57b3577
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 26 16:31:58 2013 -0700
integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 5c181d6..24facfe 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
}
if (rep.length) {
- if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
Reply to: