libxres: Changes to 'upstream-unstable'
configure.ac | 8 +++++++-
src/Makefile.am | 2 +-
src/XRes.c | 29 +++++++++++++++++++++++++----
3 files changed, 33 insertions(+), 6 deletions(-)
New commits:
commit b51a7b0ccf0d5ccb53fbd5d34ed8fe57603d2604
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu May 30 17:51:12 2013 -0700
libXres 1.0.7
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 10e47d2..fc92739 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
# digit in the version number to track changes which don't affect the
# protocol, so XRes version l.n.m corresponds to protocol version l.n
#
-AC_INIT([libXres], [1.0.6],
+AC_INIT([libXres], [1.0.7],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXres])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit ad156a716a324ee60362c8ba66a5ed8c835c219b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]
The CARD32 rep.num_types needs to be bounds checked before multiplying
by sizeof(XResType) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XRes.c b/src/XRes.c
index 5117321..ff21dd4 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -186,7 +186,12 @@ Status XResQueryClientResources (
}
if(rep.num_types) {
- if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
+ if (rep.num_types < (INT_MAX / sizeof(XResType)))
+ typs = Xmalloc(sizeof(XResType) * rep.num_types);
+ else
+ typs = NULL;
+
+ if (typs != NULL) {
xXResType scratch;
int i;
commit 3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Apr 12 23:36:13 2013 -0700
integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
The CARD32 rep.num_clients needs to be bounds checked before multiplying
by sizeof(XResClient) to avoid integer overflow leading to underallocation
and writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XRes.c b/src/XRes.c
index ae86206..5117321 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -129,7 +129,12 @@ Status XResQueryClients (
}
if(rep.num_clients) {
- if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
+ if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
+ clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
+ else
+ clnts = NULL;
+
+ if (clnts != NULL) {
xXResClient scratch;
int i;
commit 95b352b0f4a1ab1bc254e78adbc73cd65223ded4
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 10:34:22 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index bc4e8a6..10e47d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -55,6 +55,12 @@ RES_VERSION=[`echo $VERSION | sed 's/^\([0-9][0-9]*\.[0-9][0-9]*\).*$/\1/'`]
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= $RES_VERSION])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XRES_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XRes.c b/src/XRes.c
index 6091c96..ae86206 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -12,7 +12,18 @@
#include <X11/extensions/extutil.h>
#include <X11/extensions/XResproto.h>
#include <X11/extensions/XRes.h>
+#include <limits.h>
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xres_ext_info_data;
static XExtensionInfo *xres_ext_info = &_xres_ext_info_data;
@@ -131,7 +142,7 @@ Status XResQueryClients (
*num_clients = rep.num_clients;
result = 1;
} else {
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
@@ -183,7 +194,7 @@ Status XResQueryClientResources (
*num_types = rep.num_types;
result = 1;
} else {
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
commit d54acff47096cf52a9b8e018a26f7165e1092eb5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri Jan 18 23:06:20 2013 -0800
Replace deprecated Automake INCLUDES variable with AM_CPPFLAGS
Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
- Support for the long-deprecated INCLUDES variable will be removed
altogether in Automake 1.14. The AM_CPPFLAGS variable should be
used instead.
This variable was deprecated in Automake releases prior to 1.10, which is
the current minimum level required to build X.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
(cherry picked from commit 83e7693515369d57dcd11c2bb1f03563f51bc500)
diff --git a/src/Makefile.am b/src/Makefile.am
index fd508da..bf66d68 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -10,7 +10,7 @@ AM_CFLAGS = \
$(XRES_CFLAGS) \
$(MALLOC_ZERO_CFLAGS)
-INCLUDES = -I$(top_srcdir)/include
+AM_CPPFLAGS = -I$(top_srcdir)/include
libXRes_la_LDFLAGS = -version-number 1:0:0 -no-undefined
Reply to: