libxrender: Changes to 'debian-unstable'
ChangeLog | 80 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
autogen.sh | 4 ++
configure.ac | 9 ++++--
debian/changelog | 16 +++++++++++
debian/compat | 2 -
debian/control | 2 +
debian/rules | 21 ++++----------
src/Filter.c | 41 +++++++++++++++++-----------
src/Xrender.c | 69 ++++++++++++++++++++++++++++++-----------------
src/Xrenderint.h | 14 +++++++++
10 files changed, 200 insertions(+), 58 deletions(-)
New commits:
commit 7dd94cfb646cdc6a97c73b8be911e3c51f7357cb
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 19:34:12 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 1340059..8196d8d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxrender (1:0.9.8-1) UNRELEASED; urgency=low
+libxrender (1:0.9.8-1) sid; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
@@ -6,7 +6,7 @@ libxrender (1:0.9.8-1) UNRELEASED; urgency=low
* Disable silent build rules.
* Use dh_prep instead of dh_clean -k.
- -- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 19:05:55 +0200
+ -- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 19:34:07 +0200
libxrender (1:0.9.7-1+deb7u1) wheezy-security; urgency=high
commit bee250e8e88d05a51644d0688f048dae1b3e9ed2
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 19:33:36 2013 +0200
Use dh_prep instead of dh_clean -k.
diff --git a/debian/changelog b/debian/changelog
index dbb5de4..1340059 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ libxrender (1:0.9.8-1) UNRELEASED; urgency=low
* Bump debhelper compat level to 7.
* Use dpkg-buildflags.
* Disable silent build rules.
+ * Use dh_prep instead of dh_clean -k.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 19:05:55 +0200
diff --git a/debian/rules b/debian/rules
index a9f8048..dcdb587 100755
--- a/debian/rules
+++ b/debian/rules
@@ -62,16 +62,14 @@ clean:
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
dh_installdirs
-
cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
# Build architecture-dependent files here.
binary-arch: build install
dh_testdir
dh_testroot
-
dh_installdocs
dh_install --list-missing
dh_installchangelogs
commit 9a9de057f54c084411d790d8f04606dace7eeb23
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 19:12:38 2013 +0200
Disable silent build rules.
diff --git a/debian/changelog b/debian/changelog
index df03a2e..dbb5de4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ libxrender (1:0.9.8-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
* Use dpkg-buildflags.
+ * Disable silent build rules.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 19:05:55 +0200
diff --git a/debian/rules b/debian/rules
index fd7e0bf..a9f8048 100755
--- a/debian/rules
+++ b/debian/rules
@@ -41,6 +41,7 @@ build-stamp:
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--infodir=\$${prefix}/share/info \
+ --disable-silent-rules \
$(confflags)
cd build && $(MAKE)
>$@
commit 19692e9a626e5a4d1d07a55857b3df087b463a71
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 19:12:00 2013 +0200
Use dpkg-buildflags.
diff --git a/debian/changelog b/debian/changelog
index f13c206..df03a2e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ libxrender (1:0.9.8-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
+ * Use dpkg-buildflags.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 19:05:55 +0200
diff --git a/debian/control b/debian/control
index e289b92..60fce1f 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,8 @@ Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Cyril Brulebois <kibi@debian.org>
Build-Depends:
debhelper (>= 8.1.3),
+# dpkg-buildflags --export=configure
+ dpkg-dev (>= 1.16.1),
pkg-config,
libx11-dev (>= 2:1.3.3-2),
x11proto-render-dev,
diff --git a/debian/rules b/debian/rules
index 295352e..fd7e0bf 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,12 +12,6 @@ PACKAGE = libxrender1
include debian/xsfbs/xsfbs.mk
-CFLAGS = -Wall -g
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
MAKEFLAGS += -j$(NUMJOBS)
@@ -32,7 +26,7 @@ ifeq ($(DEB_BUILD_GNU_TYPE), $(DEB_HOST_GNU_TYPE))
else
confflags += --build=$(DEB_BUILD_GNU_TYPE) --host=$(DEB_HOST_GNU_TYPE)
endif
-
+confflags += $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure)
build: build-arch build-indep
build-arch: build-stamp
@@ -46,8 +40,8 @@ build-stamp:
cd build && \
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
- --infodir=\$${prefix}/share/info $(confflags) \
- CFLAGS="$(CFLAGS)"
+ --infodir=\$${prefix}/share/info \
+ $(confflags)
cd build && $(MAKE)
>$@
commit 7aaec9614ef9c544653dd334f43aa9c9a1a23070
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 19:10:33 2013 +0200
Bump debhelper compat level to 7.
diff --git a/debian/changelog b/debian/changelog
index 7ff3613..f13c206 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
libxrender (1:0.9.8-1) UNRELEASED; urgency=low
* New upstream release.
+ * Bump debhelper compat level to 7.
-- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 19:05:55 +0200
diff --git a/debian/compat b/debian/compat
index 7ed6ff8..7f8f011 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-5
+7
diff --git a/debian/rules b/debian/rules
index e2ae592..295352e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -78,8 +78,8 @@ binary-arch: build install
dh_testroot
dh_installdocs
- dh_install --sourcedir=debian/tmp --list-missing
- dh_installchangelogs ChangeLog
+ dh_install --list-missing
+ dh_installchangelogs
dh_link
dh_strip -p$(PACKAGE) --dbg-package=$(PACKAGE)-dbg
dh_strip -N$(PACKAGE)
commit f57d23f6e4a6a52e1a6e88be1d6a3d460a019372
Author: Julien Cristau <jcristau@debian.org>
Date: Sun Jun 30 19:09:52 2013 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index e8d7f8c..8e733a4 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,83 @@
+commit 61236e831f8cc0761b26b49e37a4df9c187aa0ba
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu Jun 13 22:41:00 2013 -0700
+
+ libXrender 0.9.8
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 786f78fd8df6d165ccbc81f306fd9f22b5c1551c
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Apr 12 23:02:11 2013 -0700
+
+ integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
+
+ The length and numIndexValues members of the reply are both CARD32 and
+ need to be bounds checked before multiplying by sizeof (XIndexValue) to
+ avoid integer overflow leading to underallocation and writing data from
+ the network past the end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 9e577d40322b9e3d8bdefec0eefa44d8ead451a4
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Apr 12 23:02:11 2013 -0700
+
+ integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
+
+ The length, numFormats, numScreens, numDepths, and numVisuals members of
+ the reply are all CARD32 and need to be bounds checked before multiplying
+ and adding them together to come up with the total size to allocate, to
+ avoid integer overflow leading to underallocation and writing data from
+ the network past the end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit e52853974664289fe42a92909667ed77cfa1cec5
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri Apr 12 22:45:20 2013 -0700
+
+ integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
+
+ The length, numFilters & numAliases members of the reply are all CARD32
+ and need to be bounds checked before multiplying & adding them together
+ to come up with the total size to allocate, to avoid integer overflow
+ leading to underallocation and writing data from the network past the
+ end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 73e77eb21d649edc1ce1746739f9358e337b2935
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri May 3 22:48:11 2013 -0700
+
+ Use _XEatDataWords to avoid overflow of rep.length bit shifting
+
+ rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 1af52cb334377611233d7dc156bc1e6f7923756d
+Author: Colin Walters <walters@verbum.org>
+Date: Wed Jan 4 17:37:06 2012 -0500
+
+ autogen.sh: Implement GNOME Build API
+
+ http://people.gnome.org/~walters/docs/build-api.txt
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit a4265cd7a69349f1697f81e18303a77358e27f33
+Author: Adam Jackson <ajax@redhat.com>
+Date: Tue Jan 15 14:28:48 2013 -0500
+
+ configure: Remove AM_MAINTAINER_MODE
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
commit bf1aa4e05997ab97be4413ccdb6d0d1eb45aeefe
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Mar 7 20:46:50 2012 -0800
diff --git a/debian/changelog b/debian/changelog
index 6bf2581..7ff3613 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxrender (1:0.9.8-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Julien Cristau <jcristau@debian.org> Sun, 30 Jun 2013 19:05:55 +0200
+
libxrender (1:0.9.7-1+deb7u1) wheezy-security; urgency=high
* integer overflows calculating memory needs for replies [CVE-2013-1987]
commit 61236e831f8cc0761b26b49e37a4df9c187aa0ba
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu Jun 13 22:41:00 2013 -0700
libXrender 0.9.8
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 7c2496c..4e6b271 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
# digit in the version number to track changes which don't affect the
# protocol, so Xrender version l.n.m corresponds to protocol version l.n
#
-AC_INIT(libXrender, [0.9.7],
+AC_INIT(libXrender, [0.9.8],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrender])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 90ea8142eb33d733b6a348746868e90c3158d248
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 19:29:23 2013 +0200
Upload to wheezy-security
diff --git a/debian/changelog b/debian/changelog
index 15e2482..6bf2581 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxrender (1:0.9.7-1+deb7u1) wheezy-security; urgency=high
+
+ * integer overflows calculating memory needs for replies [CVE-2013-1987]
+
+ -- Julien Cristau <jcristau@debian.org> Tue, 14 May 2013 19:28:26 +0200
+
libxrender (1:0.9.7-1) unstable; urgency=low
* New upstream release.
commit 32896bb3d2bd0990b4e3a16397f9b6b37c96b1a0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xrender.c b/src/Xrender.c
index a62c753..3102eb2 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy,
xRenderQueryPictIndexValuesReq *req;
xRenderQueryPictIndexValuesReply rep;
XIndexValue *values;
- int nbytes, nread, rlength, i;
+ unsigned int nbytes, nread, rlength, i;
RenderCheckExtension (dpy, info, NULL);
@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy,
return NULL;
}
- /* request data length */
- nbytes = (long)rep.length << 2;
- /* bytes of actual data in the request */
- nread = rep.numIndexValues * SIZEOF (xIndexValue);
- /* size of array returned to application */
- rlength = rep.numIndexValues * sizeof (XIndexValue);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
+ /* request data length */
+ nbytes = rep.length << 2;
+ /* bytes of actual data in the request */
+ nread = rep.numIndexValues * SIZEOF (xIndexValue);
+ /* size of array returned to application */
+ rlength = rep.numIndexValues * sizeof (XIndexValue);
+
+ /* allocate returned data */
+ values = Xmalloc (rlength);
+ } else {
+ nbytes = nread = rlength = 0;
+ values = NULL;
+ }
- /* allocate returned data */
- values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
_XEatDataWords (dpy, rep.length);
commit baed2297c0fc2ba0e94e93ffc83b397cd9eabc24
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xrender.c b/src/Xrender.c
index 5c8e5f5..a62c753 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -26,6 +26,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XRenderExtInfo XRenderExtensionInfo;
char XRenderExtensionName[] = RENDER_NAME;
@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
CARD32 *xSubpixel;
void *xData;
int nf, ns, nd, nv;
- int rlength;
- int nbytes;
+ unsigned long rlength;
+ unsigned long nbytes;
RenderCheckExtension (dpy, info, 0);
LockDisplay (dpy);
@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
if (async_state.major_version == 0 && async_state.minor_version < 6)
rep.numSubpixel = 0;
- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
- rep.numFormats * sizeof (XRenderPictFormat) +
- rep.numScreens * sizeof (XRenderScreen) +
- rep.numDepths * sizeof (XRenderDepth) +
- rep.numVisuals * sizeof (XRenderVisual));
- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
- rep.numScreens * sizeof (xPictScreen) +
- rep.numDepths * sizeof (xPictDepth) +
- rep.numVisuals * sizeof (xPictVisual) +
- rep.numSubpixel * 4);
- xData = (void *) Xmalloc (rlength);
- nbytes = (int) rep.length << 2;
+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
+ (rep.length < (INT_MAX >> 2)) ) {
+ xri = Xmalloc (sizeof (XRenderInfo) +
+ (rep.numFormats * sizeof (XRenderPictFormat)) +
+ (rep.numScreens * sizeof (XRenderScreen)) +
+ (rep.numDepths * sizeof (XRenderDepth)) +
+ (rep.numVisuals * sizeof (XRenderVisual)));
+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
+ (rep.numScreens * sizeof (xPictScreen)) +
+ (rep.numDepths * sizeof (xPictDepth)) +
+ (rep.numVisuals * sizeof (xPictVisual)) +
+ (rep.numSubpixel * 4));
+ xData = Xmalloc (rlength);
+ nbytes = (unsigned long) rep.length << 2;
+ } else {
+ xri = NULL;
+ xData = NULL;
+ rlength = nbytes = 0;
+ }
if (!xri || !xData || nbytes < rlength)
{
commit 89914eb45ff0f55f2a33fd1a1b0cbbb26a6441fc
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 22:45:20 2013 -0700
integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
The length, numFilters & numAliases members of the reply are all CARD32
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Filter.c b/src/Filter.c
index 924b2a3..edfa572 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -25,6 +25,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XFilters *
XRenderQueryFilters (Display *dpy, Drawable drawable)
@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
char *name;
char len;
int i;
- long nbytes, nbytesAlias, nbytesName;
+ unsigned long nbytes, nbytesAlias, nbytesName;
if (!RenderHasExtension (info))
return NULL;
@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
SyncHandle ();
return NULL;
}
- /*
- * Compute total number of bytes for filter names
- */
- nbytes = (long)rep.length << 2;
- nbytesAlias = rep.numAliases * 2;
- if (rep.numAliases & 1)
- nbytesAlias += 2;
- nbytesName = nbytes - nbytesAlias;
/*
- * Allocate one giant block for the whole data structure
+ * Limit each component of combined size to 1/4 the max, which is far
+ * more than they should ever possibly need.
*/
- filters = Xmalloc (sizeof (XFilters) +
- rep.numFilters * sizeof (char *) +
- rep.numAliases * sizeof (short) +
- nbytesName);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
+ /*
+ * Compute total number of bytes for filter names
+ */
+ nbytes = (unsigned long)rep.length << 2;
+ nbytesAlias = rep.numAliases * 2;
+ if (rep.numAliases & 1)
+ nbytesAlias += 2;
+ nbytesName = nbytes - nbytesAlias;
+
+ /*
+ * Allocate one giant block for the whole data structure
+ */
+ filters = Xmalloc (sizeof (XFilters) +
+ (rep.numFilters * sizeof (char *)) +
+ (rep.numAliases * sizeof (short)) +
+ nbytesName);
+ } else
+ filters = NULL;
if (!filters)
{
commit 432e759ed95aa5486cb65d25b35253dad59b47af
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 3 22:48:11 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/configure.ac b/configure.ac
index bf7fe60..89a119f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -59,6 +59,12 @@ AC_SUBST(RENDER_VERSION)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(RENDER, x11 renderproto >= $RENDER_VERSION)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$RENDER_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
xrender.pc])
diff --git a/src/Filter.c b/src/Filter.c
index 5fe9df9..924b2a3 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -79,7 +79,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
if (!filters)
{
- _XEatData (dpy, (unsigned long) rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/Xrender.c b/src/Xrender.c
index 769503a..5c8e5f5 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -475,7 +475,7 @@ XRenderQueryFormats (Display *dpy)
{
if (xri) Xfree (xri);
if (xData) Xfree (xData);
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return 0;
@@ -859,7 +859,7 @@ XRenderQueryPictIndexValues(Display *dpy,
values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/Xrenderint.h b/src/Xrenderint.h
index 57b13da..daaa6fe 100644
--- a/src/Xrenderint.h
+++ b/src/Xrenderint.h
@@ -109,4 +109,18 @@ XRenderFindDisplay (Display *dpy);
#define DataInt32(dpy,d,len) Data(dpy,(char *) (d),len)
#endif
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
+
#endif /* _XRENDERINT_H_ */
commit 786f78fd8df6d165ccbc81f306fd9f22b5c1551c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xrender.c b/src/Xrender.c
index a62c753..3102eb2 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy,
xRenderQueryPictIndexValuesReq *req;
xRenderQueryPictIndexValuesReply rep;
XIndexValue *values;
- int nbytes, nread, rlength, i;
+ unsigned int nbytes, nread, rlength, i;
RenderCheckExtension (dpy, info, NULL);
@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display *dpy,
return NULL;
}
- /* request data length */
- nbytes = (long)rep.length << 2;
- /* bytes of actual data in the request */
- nread = rep.numIndexValues * SIZEOF (xIndexValue);
- /* size of array returned to application */
- rlength = rep.numIndexValues * sizeof (XIndexValue);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
+ /* request data length */
+ nbytes = rep.length << 2;
+ /* bytes of actual data in the request */
+ nread = rep.numIndexValues * SIZEOF (xIndexValue);
+ /* size of array returned to application */
+ rlength = rep.numIndexValues * sizeof (XIndexValue);
+
+ /* allocate returned data */
+ values = Xmalloc (rlength);
+ } else {
+ nbytes = nread = rlength = 0;
+ values = NULL;
+ }
- /* allocate returned data */
- values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
_XEatDataWords (dpy, rep.length);
commit 9e577d40322b9e3d8bdefec0eefa44d8ead451a4
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xrender.c b/src/Xrender.c
index 5c8e5f5..a62c753 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -26,6 +26,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XRenderExtInfo XRenderExtensionInfo;
char XRenderExtensionName[] = RENDER_NAME;
@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
CARD32 *xSubpixel;
void *xData;
int nf, ns, nd, nv;
- int rlength;
- int nbytes;
+ unsigned long rlength;
+ unsigned long nbytes;
RenderCheckExtension (dpy, info, 0);
LockDisplay (dpy);
@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
if (async_state.major_version == 0 && async_state.minor_version < 6)
rep.numSubpixel = 0;
- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
- rep.numFormats * sizeof (XRenderPictFormat) +
- rep.numScreens * sizeof (XRenderScreen) +
- rep.numDepths * sizeof (XRenderDepth) +
- rep.numVisuals * sizeof (XRenderVisual));
- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
- rep.numScreens * sizeof (xPictScreen) +
- rep.numDepths * sizeof (xPictDepth) +
- rep.numVisuals * sizeof (xPictVisual) +
- rep.numSubpixel * 4);
- xData = (void *) Xmalloc (rlength);
- nbytes = (int) rep.length << 2;
+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
+ (rep.length < (INT_MAX >> 2)) ) {
+ xri = Xmalloc (sizeof (XRenderInfo) +
+ (rep.numFormats * sizeof (XRenderPictFormat)) +
+ (rep.numScreens * sizeof (XRenderScreen)) +
+ (rep.numDepths * sizeof (XRenderDepth)) +
+ (rep.numVisuals * sizeof (XRenderVisual)));
+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
+ (rep.numScreens * sizeof (xPictScreen)) +
+ (rep.numDepths * sizeof (xPictDepth)) +
+ (rep.numVisuals * sizeof (xPictVisual)) +
+ (rep.numSubpixel * 4));
+ xData = Xmalloc (rlength);
+ nbytes = (unsigned long) rep.length << 2;
+ } else {
+ xri = NULL;
+ xData = NULL;
+ rlength = nbytes = 0;
+ }
if (!xri || !xData || nbytes < rlength)
{
commit e52853974664289fe42a92909667ed77cfa1cec5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 22:45:20 2013 -0700
integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
The length, numFilters & numAliases members of the reply are all CARD32
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Filter.c b/src/Filter.c
index 924b2a3..edfa572 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -25,6 +25,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XFilters *
XRenderQueryFilters (Display *dpy, Drawable drawable)
@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
char *name;
char len;
int i;
- long nbytes, nbytesAlias, nbytesName;
+ unsigned long nbytes, nbytesAlias, nbytesName;
if (!RenderHasExtension (info))
return NULL;
@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
SyncHandle ();
return NULL;
}
- /*
- * Compute total number of bytes for filter names
- */
- nbytes = (long)rep.length << 2;
- nbytesAlias = rep.numAliases * 2;
- if (rep.numAliases & 1)
- nbytesAlias += 2;
- nbytesName = nbytes - nbytesAlias;
/*
- * Allocate one giant block for the whole data structure
+ * Limit each component of combined size to 1/4 the max, which is far
+ * more than they should ever possibly need.
*/
- filters = Xmalloc (sizeof (XFilters) +
- rep.numFilters * sizeof (char *) +
- rep.numAliases * sizeof (short) +
- nbytesName);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
+ /*
+ * Compute total number of bytes for filter names
+ */
+ nbytes = (unsigned long)rep.length << 2;
+ nbytesAlias = rep.numAliases * 2;
+ if (rep.numAliases & 1)
+ nbytesAlias += 2;
+ nbytesName = nbytes - nbytesAlias;
+
+ /*
+ * Allocate one giant block for the whole data structure
+ */
+ filters = Xmalloc (sizeof (XFilters) +
+ (rep.numFilters * sizeof (char *)) +
+ (rep.numAliases * sizeof (short)) +
+ nbytesName);
+ } else
+ filters = NULL;
if (!filters)
{
commit 73e77eb21d649edc1ce1746739f9358e337b2935
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 3 22:48:11 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 19dce7a..7c2496c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,12 @@ AC_SUBST(RENDER_VERSION)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(RENDER, x11 renderproto >= $RENDER_VERSION)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$RENDER_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
xrender.pc])
diff --git a/src/Filter.c b/src/Filter.c
index 5fe9df9..924b2a3 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -79,7 +79,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
if (!filters)
{
- _XEatData (dpy, (unsigned long) rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/Xrender.c b/src/Xrender.c
index 769503a..5c8e5f5 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -475,7 +475,7 @@ XRenderQueryFormats (Display *dpy)
{
if (xri) Xfree (xri);
if (xData) Xfree (xData);
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return 0;
@@ -859,7 +859,7 @@ XRenderQueryPictIndexValues(Display *dpy,
values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/Xrenderint.h b/src/Xrenderint.h
index 57b13da..daaa6fe 100644
--- a/src/Xrenderint.h
+++ b/src/Xrenderint.h
@@ -109,4 +109,18 @@ XRenderFindDisplay (Display *dpy);
#define DataInt32(dpy,d,len) Data(dpy,(char *) (d),len)
#endif
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
+
#endif /* _XRENDERINT_H_ */
commit 1af52cb334377611233d7dc156bc1e6f7923756d
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
Reply to: