libxv: Changes to 'upstream-unstable'
autogen.sh | 4 ++
configure.ac | 9 ++++--
man/XvListImageFormats.man | 16 +++++-----
src/Xv.c | 67 ++++++++++++++++++++++++++++++++++++++-------
4 files changed, 75 insertions(+), 21 deletions(-)
New commits:
commit d58f74ebfd0c56ffeb8e288c65592228af197a2e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Jun 22 19:06:09 2013 -0700
libXv 1.0.9
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index cc88490..4f8c5f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXv], [1.0.8],
+AC_INIT([libXv], [1.0.9],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXv])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 22cc0c897a28a41d49fe68277bb3c002f54bbb48
Author: Daphne Pfister <daphnediane@mac.com>
Date: Sat Jun 1 22:27:23 2013 -0400
Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory.
This patch attempts to fix this bug by ensuring that there is at least one
nil byte at the end of all the name strings. This should prevent reading
past the end of the allocation as well as exposing uninitialized memory.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 15c0bfd..8c45401 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -865,8 +865,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
unsigned long size;
/* limit each part to no more than one half the max size */
if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
- (rep.text_size < (INT_MAX / 2))) {
- size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ (rep.text_size < (INT_MAX / 2)-1)) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1;
ret = Xmalloc(size);
}
@@ -891,6 +891,10 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
(*num)++;
}
+
+ /* ensure final string is nil-terminated to avoid exposure of
+ uninitialized memory */
+ *marker = '\0';
} else
_XEatDataWords(dpy, rep.length);
}
commit edfb6fc397686c1892603d0f86a9aadf14dbc12e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Jun 1 17:26:11 2013 -0700
XvQueryPortAttributes: add a comment explaining memory strategy
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index f268f8e..15c0bfd 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -850,6 +850,17 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
return ret;
}
+ /*
+ * X server sends data packed as:
+ * attribute1, name1, attribute2, name2, ...
+ * We allocate a single buffer large enough to hold them all and
+ * then de-interleave the data so we return it to clients as:
+ * attribute1, attribute2, ..., name1, name2, ...
+ * so that clients may refer to attributes as a simple array of
+ * structs: attributes[0], attributes[1], ...
+ * and free it as a single/simple buffer.
+ */
+
if(rep.num_attributes) {
unsigned long size;
/* limit each part to no more than one half the max size */
commit 179ed259e75a62e74532e36f52f3838deb2aac92
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 31 17:49:24 2013 -0700
libXv 1.0.8
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 6a335db..cc88490 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXv], [1.0.7],
+AC_INIT([libXv], [1.0.8],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXv])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 50fc4cb18069cb9450a02c13f80223ef23511409
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
num_planes is a CARD32 and needs to be bounds checked before bit shifting
and adding to sizeof(XvImage) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 0a07d9d..f268f8e 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -992,7 +992,10 @@ XvImage * XvCreateImage (
return NULL;
}
- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) {
+ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage)))
+ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3));
+
+ if (ret != NULL) {
ret->id = id;
ret->width = rep.width;
ret->height = rep.height;
commit 59301c1b5095f7dc6359d5b396dbbcdee7038270
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index f9813eb..0a07d9d 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
}
if(rep.num_formats) {
- int size = (rep.num_formats * sizeof(XvImageFormatValues));
+ if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
xvImageFormatInfo Info;
int i;
commit 15ab7dec17d686c38f2c82ac23a17cac5622322a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:16:14 2013 -0700
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
xvAttributeInfo Info;
int i;
+ /* keep track of remaining room for text strings */
+ size = rep.text_size;
+
for(i = 0; i < rep.num_attributes; i++) {
_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
ret[i].flags = (int)Info.flags;
ret[i].min_value = Info.min;
ret[i].max_value = Info.max;
ret[i].name = marker;
- _XRead(dpy, marker, Info.size);
- marker += Info.size;
+ if (Info.size <= size) {
+ _XRead(dpy, marker, Info.size);
+ marker += Info.size;
+ size -= Info.size;
+ }
(*num)++;
}
} else
commit 6e1b743a276651195be3cd68dff41e38426bf3ab
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 5be1d95..3cbad35 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
if(rep.num_attributes) {
- int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ unsigned long size;
+ /* limit each part to no more than one half the max size */
+ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
+ (rep.text_size < (INT_MAX / 2))) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ ret = Xmalloc(size);
+ }
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
char* marker = (char*)(&ret[rep.num_attributes]);
xvAttributeInfo Info;
int i;
commit 79362c764a6df7e7fbe5247756bdbf60f3a58baf
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:28:34 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 5494b5d..6a335db 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XV_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
XORG_LINT_LIBRARY([Xv])
diff --git a/src/Xv.c b/src/Xv.c
index b081e8a..5be1d95 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -49,11 +49,27 @@ SOFTWARE.
**
*/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include <stdio.h>
#include "Xvlibint.h"
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include <X11/extensions/XShm.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xv_info_data;
static XExtensionInfo *xv_info = &_xv_info_data;
@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
commit ed13edeac5adc2e6afcd87f63b5ae1ff9ad47958
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit 1006d44b8674b5d9c5d7e893878776fbd34dbed2
Author: Adam Jackson <ajax@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/configure.ac b/configure.ac
index d3ad5bf..5494b5d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,6 @@ AC_CONFIG_HEADERS([config.h])
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
-AM_MAINTAINER_MODE
# Initialize libtool
AC_PROG_LIBTOOL
commit ddec3b412e1d857d1a2daa75df61de377e1de9bd
Author: Thomas Klausner <wiz@NetBSD.org>
Date: Tue Jul 17 21:56:28 2012 +0200
Uppercase SH arguments.
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/man/XvListImageFormats.man b/man/XvListImageFormats.man
index c5159e5..51e5a2e 100644
--- a/man/XvListImageFormats.man
+++ b/man/XvListImageFormats.man
@@ -1,15 +1,15 @@
.TH XvListImageFormats __libmansuffix__ __vendorversion__ "libXv Functions"
-.SH Name
+.SH NAME
XvListImageFormats \- return list of image formats supported by a video port
.\"
-.SH Syntax
+.SH SYNTAX
.B #include <X11/extensions/Xvlib.h>
.sp
.nf
.BI "XvImageFormatValues * XvListImageFormats (Display *" dpy ","
.BI " XvPortID " port ", int *" p_num_formats ");"
.fi
-.SH Arguments
+.SH ARGUMENTS
.\"
.IP \fIdpy\fR 8
Specifies the connection to the X server.
@@ -18,12 +18,12 @@ Specifies the port whose adaptor is to be queried for its list of attributes.
.IP \fIp_num_formats\fR 8
A pointer to where the number of formats returned in the array is written.
.\"
-.SH Description
+.SH DESCRIPTION
.BR XvListImageFormats (__libmansuffix__)
returns the XvImageFormatValues supported by the specified port. This list
should be freed with
.BR XFree (__libmansuffix__).
-.SH Returned Values
+.SH RETURN VALUES
XvImageFormatValues has the following structure:
.EX
@@ -93,15 +93,15 @@ For planar formats this represents the ordering of the planes.
.IP \fIscanline_order\fR 8
XvTopToBottom or XvBottomToTop.
.\"
-.SH Notes
+.SH NOTES
Since some formats (particularly some planar YUV formats) may not be
completely defined by the parameters above, the guid, when available,
should provide the most accurate description of the format.
.\"
-.SH Diagnostics
+.SH DIAGNOSTICS
.IP [XvBadPort] 8
Generated if the requested port does not exist.
.\"
-.SH See Also
+.SH SEE ALSO
.BR XvCreateImage (__libmansuffix__),
.BR XvCreateShmImage (__libmansuffix__)
Reply to: