libxext: Changes to 'debian-unstable'
COPYING | 3
ChangeLog | 177 ++++++++++++++++++++++++++++++++++++++++++
autogen.sh | 4
configure.ac | 9 +-
debian/changelog | 16 +++
debian/compat | 2
debian/control | 3
debian/rules | 21 +---
include/X11/extensions/sync.h | 2
man/XShape.man | 18 ++--
man/Xmbuf.man | 115 ++++++++++++++++-----------
src/Makefile.am | 1
src/XEVI.c | 29 ++++--
src/XMultibuf.c | 3
src/XSecurity.c | 3
src/XShape.c | 27 +++---
src/XSync.c | 39 ++++++---
src/Xcup.c | 49 ++++++-----
src/Xdbe.c | 27 ++++--
src/Xge.c | 10 ++
src/eat.h | 40 +++++++++
21 files changed, 458 insertions(+), 140 deletions(-)
New commits:
commit 680979a49d27331dd3fb7cc31a5ee19862ff3d18
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Jun 24 16:14:09 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 4ab8d00..cc7f151 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxext (2:1.3.2-1) UNRELEASED; urgency=low
+libxext (2:1.3.2-1) unstable; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
@@ -6,7 +6,7 @@ libxext (2:1.3.2-1) UNRELEASED; urgency=low
* Disable silent rules.
* Use dh_prep instead of dh_clean -k.
- -- Julien Cristau <jcristau@debian.org> Mon, 24 Jun 2013 15:14:56 +0200
+ -- Julien Cristau <jcristau@debian.org> Mon, 24 Jun 2013 16:14:00 +0200
libxext (2:1.3.1-2+deb7u1) wheezy-security; urgency=high
commit 6de7d108041b2ae69f48a5aeb205281da6c9beb7
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Jun 24 16:13:47 2013 +0200
Use dh_prep instead of dh_clean -k.
diff --git a/debian/changelog b/debian/changelog
index 53746d6..4ab8d00 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ libxext (2:1.3.2-1) UNRELEASED; urgency=low
* Bump debhelper compat level to 7.
* Use dpkg-buildflags.
* Disable silent rules.
+ * Use dh_prep instead of dh_clean -k.
-- Julien Cristau <jcristau@debian.org> Mon, 24 Jun 2013 15:14:56 +0200
diff --git a/debian/rules b/debian/rules
index 7b79c26..3f825a0 100755
--- a/debian/rules
+++ b/debian/rules
@@ -67,7 +67,7 @@ clean: xsfclean
install: build-stamp
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
dh_installdirs
cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
commit 4aa7a13a964ce9ce0c8442a9ecd533668178bd82
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Jun 24 16:01:21 2013 +0200
Disable silent rules.
diff --git a/debian/changelog b/debian/changelog
index b14c7e3..53746d6 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ libxext (2:1.3.2-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
* Use dpkg-buildflags.
+ * Disable silent rules.
-- Julien Cristau <jcristau@debian.org> Mon, 24 Jun 2013 15:14:56 +0200
diff --git a/debian/rules b/debian/rules
index 09add30..7b79c26 100755
--- a/debian/rules
+++ b/debian/rules
@@ -45,6 +45,7 @@ build-stamp:
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--docdir=\$${datadir}/doc/libxext-dev \
--infodir=\$${prefix}/share/info \
+ --disable-silent-rules \
$(docflags) \
$(confflags)
cd build && $(MAKE)
commit 342bdcc4663e7bcef0f6435d00c53a53581b70a9
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Jun 24 15:35:18 2013 +0200
Use dpkg-buildflags.
diff --git a/debian/changelog b/debian/changelog
index 6ef5ff7..b14c7e3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ libxext (2:1.3.2-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
+ * Use dpkg-buildflags.
-- Julien Cristau <jcristau@debian.org> Mon, 24 Jun 2013 15:14:56 +0200
diff --git a/debian/control b/debian/control
index 5b3cf7b..123d015 100644
--- a/debian/control
+++ b/debian/control
@@ -4,6 +4,9 @@ Priority: optional
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Cyril Brulebois <kibi@debian.org>
Build-Depends:
+# dpkg-buildflags --export=configure
+ dpkg-dev (>= 1.16.1),
+# misc:Pre-Depends
debhelper (>= 8.1.3),
libx11-dev (>= 2:1.3.3-2),
x11proto-core-dev (>= 7.0.13),
diff --git a/debian/rules b/debian/rules
index a07e8f4..09add30 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,12 +12,6 @@ PACKAGE = libxext6
include debian/xsfbs/xsfbs.mk
-CFLAGS = -Wall -g
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
MAKEFLAGS += -j$(NUMJOBS)
@@ -32,6 +26,7 @@ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
else
confflags += --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE)
endif
+confflags += $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure)
build: build-indep
@@ -50,9 +45,8 @@ build-stamp:
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--docdir=\$${datadir}/doc/libxext-dev \
--infodir=\$${prefix}/share/info \
- $(confflags) \
$(docflags) \
- CFLAGS="$(CFLAGS)"
+ $(confflags)
cd build && $(MAKE)
>$@
commit 9e62c6512613d62848de94728fe86734f7209cdb
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Jun 24 15:30:02 2013 +0200
Bump debhelper compat level to 7.
diff --git a/debian/changelog b/debian/changelog
index 3c52a64..6ef5ff7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
libxext (2:1.3.2-1) UNRELEASED; urgency=low
* New upstream release.
+ * Bump debhelper compat level to 7.
-- Julien Cristau <jcristau@debian.org> Mon, 24 Jun 2013 15:14:56 +0200
diff --git a/debian/compat b/debian/compat
index 7ed6ff8..7f8f011 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-5
+7
diff --git a/debian/rules b/debian/rules
index 2e9cef8..a07e8f4 100755
--- a/debian/rules
+++ b/debian/rules
@@ -86,8 +86,8 @@ binary-arch: build-arch install
dh_testroot
dh_installdocs -s
- dh_install -s --sourcedir=debian/tmp --fail-missing -XlibXext.la
- dh_installchangelogs -s ChangeLog
+ dh_install -s --fail-missing -XlibXext.la
+ dh_installchangelogs -s
dh_link -s
dh_installman -s
dh_strip -p$(PACKAGE) --dbg-package=$(PACKAGE)-dbg
@@ -107,8 +107,8 @@ binary-indep: build-indep install
dh_testroot
dh_installdocs -i
- dh_install -i --sourcedir=debian/tmp --fail-missing -XlibXext.la
- dh_installchangelogs -i ChangeLog
+ dh_install -i --fail-missing -XlibXext.la
+ dh_installchangelogs -i
dh_link -i
dh_installman -i
dh_compress -i
commit f829ae2e6c7faa208d2e4f92922d90261e06cf63
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Jun 24 15:15:23 2013 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index be43714..6f74e6b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,180 @@
+commit d8366afbb0d2e4fbb1e419b1187f490522270bea
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri May 31 14:34:58 2013 -0700
+
+ libXext 1.3.2
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit dfe6e1f3b8ede3d0bab7a5fa57f73513a09ec649
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 14:40:33 2013 -0800
+
+ integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6]
+
+ If the number of counters or amount of data reported by the server is
+ large enough that it overflows when multiplied by the size of the
+ appropriate struct, then memory corruption can occur when more bytes
+ are read from the X server than the size of the buffers we allocated
+ to hold them.
+
+ V2: Make sure we don't walk past the end of the reply when converting
+ data from wire format to the structures returned to the caller.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 6ecd96e8be3c33e2ffad6631cea4aa0a030d93c2
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 14:40:33 2013 -0800
+
+ integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6]
+
+ If the number of rectangles reported by the server is large enough that
+ it overflows when multiplied by the size of the appropriate struct, then
+ memory corruption can occur when more bytes are read from the X server
+ than the size of the buffer we allocated to hold them.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 67ecdcf7e29de9fa78b421122620525ed2c7db88
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 14:40:33 2013 -0800
+
+ integer overflow in XeviGetVisualInfo() [CVE-2013-1982 4/6]
+
+ If the number of visuals or conflicts reported by the server is large
+ enough that it overflows when multiplied by the size of the appropriate
+ struct, then memory corruption can occur when more bytes are read from
+ the X server than the size of the buffer we allocated to hold them.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 96d1da55a08c4cd52b763cb07bdce5cdcbec4da8
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 14:40:33 2013 -0800
+
+ several integer overflows in XdbeGetVisualInfo() [CVE-2013-1982 3/6]
+
+ If the number of screens or visuals reported by the server is large enough
+ that it overflows when multiplied by the size of the appropriate struct,
+ then memory corruption can occur when more bytes are read from the X server
+ than the size of the buffer we allocated to hold them.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 082d70b19848059ba78c9d1c315114fb07e8c0ef
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 14:40:33 2013 -0800
+
+ integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]
+
+ If the computed number of entries is large enough that it overflows when
+ multiplied by the size of a xColorItem struct, or is treated as negative
+ when compared to the size of the stack allocated buffer, then memory
+ corruption can occur when more bytes are read from the X server than the
+ size of the buffer we allocated to hold them.
+
+ The requirement to match the number of colors specified by the caller makes
+ this much harder to hit than the one in XcupGetReservedColormapEntries()
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit d05f27a6f74cb419ad5a437f2e4690b17e7faee5
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Mar 9 14:40:33 2013 -0800
+
+ integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6]
+
+ If the computed number of entries is large enough that it overflows when
+ multiplied by the size of a xColorItem struct, or is treated as negative
+ when compared to the size of the stack allocated buffer, then memory
+ corruption can occur when more bytes are read from the X server than the
+ size of the buffer we allocated to hold them.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit ca84a813716f9de691dc3f60390d83af4b5ae534
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 09:32:12 2013 -0700
+
+ Use _XEatDataWords to avoid overflow of rep.length bit shifting
+
+ rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 8eee1236041d46a21faba32e0d27c26985267d89
+Author: Colin Walters <walters@verbum.org>
+Date: Wed Jan 4 17:37:06 2012 -0500
+
+ autogen.sh: Implement GNOME Build API
+
+ http://people.gnome.org/~walters/docs/build-api.txt
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit dbf4b9ec4a8aa97b0c47d58ee158dd3aa8832af5
+Author: Adam Jackson <ajax@redhat.com>
+Date: Tue Jan 15 14:28:48 2013 -0500
+
+ configure: Remove AM_MAINTAINER_MODE
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit 7081afc98643e3ef8a3ed711183c8fc8fef30cfa
+Author: Eric S. Raymond <esr@thyrsus.com>
+Date: Thu Aug 23 13:34:16 2012 -0400
+
+ Replace presentationm-level requests with .RS/RE.
+
+ This will assist translation to DocBook.
+
+ Signed-off-by: Eric S. Raymond <esr@thyrsus.com>
+
+commit d618eac132fc9e13bbfb9e58e3375f015db2a179
+Author: Eric S. Raymond <esr@thyrsus.com>
+Date: Thu Aug 23 13:25:27 2012 -0400
+
+ Replace various unsafe presentation-level requests with .RS/.RE and .EX/EE.
+
+ These can be translated structurally into DocBook.
+
+commit e78e51359fd22b69e646167bc9d3f9b28a5c755f
+Author: Thomas Klausner <wiz@NetBSD.org>
+Date: Wed Jul 18 23:40:18 2012 +0200
+
+ Avoid having macros expand code to be: ((f) ? (f)->m1 : NULL)->m2
+
+ From Matthew R. Green <mrg@NetBSD.org>
+
+ Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit ed8d50ba3a6f837d213ed7c39c2b63d33fc75a38
+Author: Chase Douglas <chase.douglas@canonical.com>
+Date: Fri Apr 20 15:08:08 2012 -0700
+
+ Destroy generic event extension after last display is removed
+
+ The extension record is currently leaked and never freed.
+
+ Signed-off-by: Chase Douglas <chase.douglas@canonical.com>
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit c6fc799a81334a223cf0e924cd9e7e94ba147835
+Author: Peter Hutterer <peter.hutterer@who-t.net>
+Date: Mon Apr 23 14:59:51 2012 +1000
+
+ sync: fix copy/paste error in comment
+
+ Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
+
commit e9c1e346c90e697d5d8f0e756ef8b6e3ed339e29
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Mar 7 19:54:50 2012 -0800
diff --git a/debian/changelog b/debian/changelog
index 1a841f3..3c52a64 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxext (2:1.3.2-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Julien Cristau <jcristau@debian.org> Mon, 24 Jun 2013 15:14:56 +0200
+
libxext (2:1.3.1-2+deb7u1) wheezy-security; urgency=high
* integer overflows calculating memory needs for replies [CVE-2013-1982]
commit d8366afbb0d2e4fbb1e419b1187f490522270bea
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 31 14:34:58 2013 -0700
libXext 1.3.2
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index fb9888d..9a1e0c2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXext], [1.3.1],
+AC_INIT([libXext], [1.3.2],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXext])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit bd85c13141bf096377f219b631eaa0c31e54e282
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 00:55:11 2013 +0200
Upload to wheezy-security
diff --git a/debian/changelog b/debian/changelog
index de2f3cf..1a841f3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxext (2:1.3.1-2+deb7u1) wheezy-security; urgency=high
+
+ * integer overflows calculating memory needs for replies [CVE-2013-1982]
+
+ -- Julien Cristau <jcristau@debian.org> Tue, 14 May 2013 00:46:19 +0200
+
libxext (2:1.3.1-2) unstable; urgency=low
* Split docs out to a separate libxext-doc package. libxext-dev is now
commit c835b658fed055a3c1ea6fe485fa56bc050f701d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XSyncListSystemCounters() [CVE-2013-1982 6/6]
If the number of counters or amount of data reported by the server is
large enough that it overflows when multiplied by the size of the
appropriate struct, then memory corruption can occur when more bytes
are read from the X server than the size of the buffers we allocated
to hold them.
V2: Make sure we don't walk past the end of the reply when converting
data from wire format to the structures returned to the caller.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XSync.c b/src/XSync.c
index e7fbdcd..0984a62 100644
--- a/src/XSync.c
+++ b/src/XSync.c
@@ -59,6 +59,7 @@ PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/extutil.h>
#include <X11/extensions/sync.h>
#include <X11/extensions/syncproto.h>
+#include <limits.h>
#include "eat.h"
static XExtensionInfo _sync_info_data;
@@ -352,19 +353,28 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
if (rep.nCounters > 0)
{
xSyncSystemCounter *pWireSysCounter, *pNextWireSysCounter;
+ xSyncSystemCounter *pLastWireSysCounter;
XSyncCounter counter;
- int replylen;
+ unsigned int replylen;
int i;
- list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
- replylen = rep.length << 2;
- pWireSysCounter = Xmalloc ((unsigned) replylen + sizeof(XSyncCounter));
- /* +1 to leave room for last counter read-ahead */
+ if (rep.nCounters < (INT_MAX / sizeof(XSyncSystemCounter)))
+ list = Xmalloc(rep.nCounters * sizeof(XSyncSystemCounter));
+ if (rep.length < (INT_MAX >> 2)) {
+ replylen = rep.length << 2;
+ pWireSysCounter = Xmalloc (replylen + sizeof(XSyncCounter));
+ /* +1 to leave room for last counter read-ahead */
+ pLastWireSysCounter = (xSyncSystemCounter *)
+ ((char *)pWireSysCounter) + replylen;
+ } else {
+ replylen = 0;
+ pWireSysCounter = NULL;
+ }
if ((!list) || (!pWireSysCounter))
{
- if (list) Xfree((char *) list);
- if (pWireSysCounter) Xfree((char *) pWireSysCounter);
+ Xfree(list);
+ Xfree(pWireSysCounter);
_XEatDataWords(dpy, rep.length);
list = NULL;
goto bail;
@@ -388,6 +398,14 @@ XSyncListSystemCounters(Display *dpy, int *n_counters_return)
pNextWireSysCounter = (xSyncSystemCounter *)
(((char *)pWireSysCounter) + ((SIZEOF(xSyncSystemCounter) +
pWireSysCounter->name_length + 3) & ~3));
+ /* Make sure we haven't gone too far */
+ if (pNextWireSysCounter > pLastWireSysCounter) {
+ Xfree(list);
+ Xfree(pWireSysCounter);
+ list = NULL;
+ goto bail;
+ }
+
counter = pNextWireSysCounter->counter;
list[i].name = ((char *)pWireSysCounter) +
commit 4ab9367b58cbef5549be6ee45c48595b49e9140e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XShapeGetRectangles() [CVE-2013-1982 5/6]
If the number of rectangles reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are read from the X server
than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XShape.c b/src/XShape.c
index 3987876..d025020 100644
--- a/src/XShape.c
+++ b/src/XShape.c
@@ -35,6 +35,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/extutil.h>
#include <X11/extensions/shape.h>
#include <X11/extensions/shapeproto.h>
+#include <limits.h>
#include "eat.h"
static XExtensionInfo _shape_info_data;
@@ -443,7 +444,7 @@ XRectangle *XShapeGetRectangles (
xShapeGetRectanglesReply rep;
XRectangle *rects;
xRectangle *xrects;
- int i;
+ unsigned int i;
ShapeCheckExtension (dpy, info, (XRectangle *)NULL);
@@ -461,20 +462,23 @@ XRectangle *XShapeGetRectangles (
*count = rep.nrects;
*ordering = rep.ordering;
rects = NULL;
- if (*count) {
- xrects = (xRectangle *) Xmalloc (*count * sizeof (xRectangle));
- rects = (XRectangle *) Xmalloc (*count * sizeof (XRectangle));
+ if (rep.nrects) {
+ if (rep.nrects < (INT_MAX / sizeof (XRectangle))) {
+ xrects = Xmalloc (rep.nrects * sizeof (xRectangle));
+ rects = Xmalloc (rep.nrects * sizeof (XRectangle));
+ } else {
+ xrects = NULL;
+ rects = NULL;
+ }
if (!xrects || !rects) {
- if (xrects)
- Xfree (xrects);
- if (rects)
- Xfree (rects);
+ Xfree (xrects);
+ Xfree (rects);
_XEatDataWords (dpy, rep.length);
rects = NULL;
*count = 0;
} else {
- _XRead (dpy, (char *) xrects, *count * sizeof (xRectangle));
- for (i = 0; i < *count; i++) {
+ _XRead (dpy, (char *) xrects, rep.nrects * sizeof (xRectangle));
+ for (i = 0; i < rep.nrects; i++) {
rects[i].x = (short) cvtINT16toInt (xrects[i].x);
rects[i].y = (short) cvtINT16toInt (xrects[i].y);
rects[i].width = xrects[i].width;
commit 836d056daf460fd174f4380957b66a3d46fc5506
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XeviGetVisualInfo() [CVE-2013-1982 4/6]
If the number of visuals or conflicts reported by the server is large
enough that it overflows when multiplied by the size of the appropriate
struct, then memory corruption can occur when more bytes are read from
the X server than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XEVI.c b/src/XEVI.c
index 0125c51..5a95583 100644
--- a/src/XEVI.c
+++ b/src/XEVI.c
@@ -30,6 +30,7 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include <X11/Xutil.h>
+#include <limits.h>
#include "eat.h"
static XExtensionInfo *xevi_info;/* needs to move to globals.c */
@@ -165,13 +166,20 @@ Status XeviGetVisualInfo(
return BadAccess;
}
Xfree(temp_visual);
- sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
- sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
- sz_conflict = rep.n_conflicts * sizeof(VisualID);
- sz_xConflict = rep.n_conflicts * sz_VisualID32;
- infoPtr = *evi_return = (ExtendedVisualInfo *)Xmalloc(sz_info + sz_conflict);
- xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo);
- xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict);
+ if ((rep.n_info < 65536) && (rep.n_conflicts < 65536)) {
+ sz_info = rep.n_info * sizeof(ExtendedVisualInfo);
+ sz_xInfo = rep.n_info * sz_xExtendedVisualInfo;
+ sz_conflict = rep.n_conflicts * sizeof(VisualID);
+ sz_xConflict = rep.n_conflicts * sz_VisualID32;
+ *evi_return = Xmalloc(sz_info + sz_conflict);
+ temp_xInfo = Xmalloc(sz_xInfo);
+ temp_conflict = Xmalloc(sz_xConflict);
+ } else {
+ sz_xInfo = sz_xConflict = 0;
+ *evi_return = NULL;
+ temp_xInfo = NULL;
+ temp_conflict = NULL;
+ }
if (!*evi_return || !temp_xInfo || !temp_conflict) {
_XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
@@ -188,6 +196,9 @@ Status XeviGetVisualInfo(
_XRead(dpy, (char *)temp_conflict, sz_xConflict);
UnlockDisplay(dpy);
SyncHandle();
+ infoPtr = *evi_return;
+ xInfoPtr = temp_xInfo;
+ xConflictPtr = temp_conflict;
n_data = rep.n_info;
conflict = (VisualID *)(infoPtr + n_data);
while (n_data-- > 0) {
commit 3ea550613ed0267086934e6389fbef0656f6f501
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
several integer overflows in XdbeGetVisualInfo() [CVE-2013-1982 3/6]
If the number of screens or visuals reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are read from the X server
than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xdbe.c b/src/Xdbe.c
index 4b5fa18..016886c 100644
--- a/src/Xdbe.c
+++ b/src/Xdbe.c
@@ -39,6 +39,8 @@
#include <X11/extensions/extutil.h>
#include <X11/extensions/Xdbe.h>
#include <X11/extensions/dbeproto.h>
+#include <limits.h>
+#include "eat.h"
static XExtensionInfo _dbe_info_data;
static XExtensionInfo *dbe_info = &_dbe_info_data;
@@ -352,9 +354,12 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
*num_screens = rep.m;
/* allocate list of visual information to be returned */
- if (!(scrVisInfo =
- (XdbeScreenVisualInfo *)Xmalloc(
- (unsigned)(*num_screens * sizeof(XdbeScreenVisualInfo))))) {
+ if ((*num_screens > 0) && (*num_screens < 65536))
+ scrVisInfo = Xmalloc(*num_screens * sizeof(XdbeScreenVisualInfo));
+ else
+ scrVisInfo = NULL;
+ if (scrVisInfo == NULL) {
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
@@ -362,25 +367,27 @@ XdbeScreenVisualInfo *XdbeGetVisualInfo (
for (i = 0; i < *num_screens; i++)
{
- int nbytes;
int j;
- long c;
+ unsigned long c;
- _XRead32 (dpy, &c, sizeof(CARD32));
- scrVisInfo[i].count = c;
+ _XRead32 (dpy, (long *) &c, sizeof(CARD32));
- nbytes = scrVisInfo[i].count * sizeof(XdbeVisualInfo);
+ if (c < 65536) {
+ scrVisInfo[i].count = c;
+ scrVisInfo[i].visinfo = Xmalloc(c * sizeof(XdbeVisualInfo));
+ } else
+ scrVisInfo[i].visinfo = NULL;
/* if we can not allocate the list of visual/depth info
* then free the lists that we already allocate as well
* as the visual info list itself
*/
- if (!(scrVisInfo[i].visinfo = (XdbeVisualInfo *)Xmalloc(
- (unsigned)nbytes))) {
+ if (scrVisInfo[i].visinfo == NULL) {
for (j = 0; j < i; j++) {
Xfree ((char *)scrVisInfo[j].visinfo);
}
Xfree ((char *)scrVisInfo);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
commit 1e99cf4a553712dd14882fca6982eabf877224c7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XcupStoreColors() [CVE-2013-1982 2/6]
If the computed number of entries is large enough that it overflows when
multiplied by the size of a xColorItem struct, or is treated as negative
when compared to the size of the stack allocated buffer, then memory
corruption can occur when more bytes are read from the X server than the
size of the buffer we allocated to hold them.
The requirement to match the number of colors specified by the caller makes
this much harder to hit than the one in XcupGetReservedColormapEntries()
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xcup.c b/src/Xcup.c
index 670f356..cdc64c2 100644
--- a/src/Xcup.c
+++ b/src/Xcup.c
@@ -219,24 +219,21 @@ XcupStoreColors(
}
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- long nbytes;
+ unsigned long nbytes;
xColorItem* rbufp;
xColorItem* cs;
- int nentries = rep.length / 3;
-
- nbytes = nentries * SIZEOF (xColorItem);
+ unsigned int nentries = rep.length / 3;
- if (nentries != ncolors) {
- _XEatDataWords(dpy, rep.length);
- UnlockDisplay (dpy);
- SyncHandle ();
- return False;
- }
+ if ((nentries == ncolors) &&
+ (nentries < (INT_MAX / SIZEOF (xColorItem)))) {
+ nbytes = nentries * SIZEOF (xColorItem);
- if (ncolors > 256)
- rbufp = (xColorItem*) Xmalloc (nbytes);
- else
- rbufp = rbuf;
+ if (ncolors > 256)
+ rbufp = Xmalloc (nbytes);
+ else
+ rbufp = rbuf;
+ } else
+ rbufp = NULL;
if (rbufp == NULL) {
_XEatDataWords(dpy, rep.length);
commit b4d2357dd8ef1938186a4ae1a6924eefc08ab591
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Mar 9 14:40:33 2013 -0800
integer overflow in XcupGetReservedColormapEntries() [CVE-2013-1982 1/6]
If the computed number of entries is large enough that it overflows when
multiplied by the size of a xColorItem struct, or is treated as negative
when compared to the size of the stack allocated buffer, then memory
corruption can occur when more bytes are read from the X server than the
size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xcup.c b/src/Xcup.c
index 1f1d625..670f356 100644
--- a/src/Xcup.c
+++ b/src/Xcup.c
@@ -36,6 +36,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/cupproto.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
#include "eat.h"
static XExtensionInfo _xcup_info_data;
@@ -134,15 +135,19 @@ XcupGetReservedColormapEntries(
req->xcupReqType = X_XcupGetReservedColormapEntries;
req->screen = screen;
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
- long nbytes;
+ unsigned long nbytes;
xColorItem* rbufp;
- int nentries = rep.length / 3;
+ unsigned int nentries = rep.length / 3;
- nbytes = nentries * SIZEOF (xColorItem);
- if (nentries > TYP_RESERVED_ENTRIES)
- rbufp = (xColorItem*) Xmalloc (nbytes);
- else
- rbufp = rbuf;
+ if (nentries < (INT_MAX / SIZEOF (xColorItem))) {
+ nbytes = nentries * SIZEOF (xColorItem);
+
+ if (nentries > TYP_RESERVED_ENTRIES)
+ rbufp = Xmalloc (nbytes);
+ else
+ rbufp = rbuf;
+ } else
+ rbufp = NULL;
if (rbufp == NULL) {
_XEatDataWords(dpy, rep.length);
commit 3c773c2cedb7319ede5e5e9159c29af7ba9095b3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 09:32:12 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/COPYING b/COPYING
index 80622a0..e3a63ef 100644
--- a/COPYING
+++ b/COPYING
@@ -160,7 +160,8 @@ makes no representations about the suitability for any purpose
of the information in this document. This documentation is
provided ``as is'' without express or implied warranty.
-Copyright (c) 1999, 2005, 2006, Oracle and/or its affiliates. All rights reserved.
+Copyright (c) 1999, 2005, 2006, 2013, Oracle and/or its affiliates.
+All rights reserved.
Permission is hereby granted, free of charge, to any person obtaining a
copy of this software and associated documentation files (the "Software"),
diff --git a/configure.ac b/configure.ac
index 7f81504..90d65fe 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,6 +39,12 @@ AC_SUBST(XEXT_SOREV)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XEXT, [xproto >= 7.0.13] [x11 >= 1.1.99.1] [xextproto >= 7.1.99])
+# Check for _XEatDataWords function that may be patched into older Xlib releases
+SAVE_LIBS="$LIBS"
+LIBS="$XEXT_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
XORG_LINT_LIBRARY([Xext])
diff --git a/src/Makefile.am b/src/Makefile.am
index e236c33..b828547 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -12,6 +12,7 @@ libXext_la_LDFLAGS = -version-number $(XEXT_SOREV) -no-undefined
libXext_la_LIBADD = $(XEXT_LIBS)
libXext_la_SOURCES = \
+ eat.h \
DPMS.c \
MITMisc.c \
XAppgroup.c \
diff --git a/src/XEVI.c b/src/XEVI.c
index eb09daa..0125c51 100644
--- a/src/XEVI.c
+++ b/src/XEVI.c
@@ -30,6 +30,8 @@ THE USE OR PERFORMANCE OF THIS SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include <X11/Xutil.h>
+#include "eat.h"
+
static XExtensionInfo *xevi_info;/* needs to move to globals.c */
static const char *xevi_extension_name = EVINAME;
#define XeviCheckExtension(dpy,i,val) \
@@ -171,7 +173,7 @@ Status XeviGetVisualInfo(
xInfoPtr = temp_xInfo = (xExtendedVisualInfo *)Xmalloc(sz_xInfo);
xConflictPtr = temp_conflict = (VisualID32 *)Xmalloc(sz_xConflict);
if (!*evi_return || !temp_xInfo || !temp_conflict) {
- _XEatData(dpy, (sz_xInfo + sz_xConflict + 3) & ~3);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
if (evi_return)
diff --git a/src/XMultibuf.c b/src/XMultibuf.c
index 7a746ba..43d56d3 100644
--- a/src/XMultibuf.c
+++ b/src/XMultibuf.c
@@ -34,6 +34,7 @@ in this Software without prior written authorization from The Open Group.
#include <X11/extensions/extutil.h>
#include <X11/extensions/multibufproto.h>
#include <X11/extensions/multibuf.h>
+#include "eat.h"
static XExtensionInfo _multibuf_info_data;
static XExtensionInfo *multibuf_info = &_multibuf_info_data;
@@ -408,7 +409,7 @@ Status XmbufGetWindowAttributes (
attr->buffers = (Multibuffer *) Xmalloc((unsigned) nbytes);
nbytes = rep.length << 2;
if (! attr->buffers) {
- _XEatData(dpy, (unsigned long) nbytes);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
return (0);
diff --git a/src/XSecurity.c b/src/XSecurity.c
index f8c7da1..ab17755 100644
--- a/src/XSecurity.c
+++ b/src/XSecurity.c
@@ -33,6 +33,7 @@ in this Software without prior written authorization from The Open Group.
Reply to: