libxrender: Changes to 'debian-wheezy'
New branch 'debian-wheezy' available with the following commits:
commit 90ea8142eb33d733b6a348746868e90c3158d248
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 19:29:23 2013 +0200
Upload to wheezy-security
commit 32896bb3d2bd0990b4e3a16397f9b6b37c96b1a0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit baed2297c0fc2ba0e94e93ffc83b397cd9eabc24
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 89914eb45ff0f55f2a33fd1a1b0cbbb26a6441fc
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 22:45:20 2013 -0700
integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
The length, numFilters & numAliases members of the reply are all CARD32
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
commit 432e759ed95aa5486cb65d25b35253dad59b47af
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 3 22:48:11 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reply to: