mesa: Changes to 'debian-experimental'

[Emilio Pozuelo Monfort <pochu@alioth.debian.org>]

 debian/changelog  |    3 +++
 src/glx/XF86dri.c |   15 +++++++++++----
 2 files changed, 14 insertions(+), 4 deletions(-)

New commits:
commit ae31e4927dff215946ef29fe62adbb958517f352
Author: Emilio Pozuelo Monfort <pochu@debian.org>
Date:   Mon May 27 21:10:41 2013 +0200

    Add commits for CVE-2013-1993

diff --git a/debian/changelog b/debian/changelog
index 6aff50a..3a6d665 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -64,6 +64,9 @@ mesa (9.1.3-1) UNRELEASED; urgency=low
   [ Rico Tzschichholz ]
   * Update packaging mesa packaging with xorg-edgers
 
+  [ Emilio Pozuelo Monfort ]
+  * integer overflows calculating memory needs for replies [CVE-2013-1993]
+
  -- Julien Cristau <jcristau@debian.org>  Fri, 03 Aug 2012 23:17:16 +0200
 
 mesa (8.0.5-4) unstable; urgency=low

commit f8250a278b2d3f0ec700bc8f6f37745a097a444d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 26 16:33:03 2013 -0700

    integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
    
    clientDriverNameLength is a CARD32 and needs to be bounds checked before
    adding one to it to come up with the total size to allocate, to avoid
    integer overflow leading to underallocation and writing data from the
    network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 77495ef..43290d6 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
    *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
 
    if (rep.length) {
-      if (!
-          (*clientDriverName =
-           calloc(rep.clientDriverNameLength + 1, 1))) {
+      if (rep.clientDriverNameLength < INT_MAX)
+	 *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+      else
+	 *clientDriverName = NULL;
+      if (*clientDriverName == NULL) {
          _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
          UnlockDisplay(dpy);
          SyncHandle();

commit c709efa5d3a51c86797f6fe5495dd79f3b1f6018
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 26 16:31:58 2013 -0700

    integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
    
    busIdStringLength is a CARD32 and needs to be bounds checked before adding
    one to it to come up with the total size to allocate, to avoid integer
    overflow leading to underallocation and writing data from the network past
    the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index b1cdc9b..77495ef 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include <X11/extensions/Xext.h>
 #include <X11/extensions/extutil.h>
 #include "xf86dristr.h"
+#include <limits.h>
 
 static XExtensionInfo _xf86dri_info_data;
 static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
    }
 
    if (rep.length) {
-      if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) {
+      if (rep.busIdStringLength < INT_MAX)
+	 *busIdString = calloc(rep.busIdStringLength + 1, 1);
+      else
+	 *busIdString = NULL;
+      if (*busIdString == NULL) {
          _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
          UnlockDisplay(dpy);
          SyncHandle();