libxv: Changes to 'debian-unstable'
ChangeLog | 132 +++++++++++++++++++++++++++++++++++++++++++++
autogen.sh | 4 +
configure.ac | 9 ++-
debian/changelog | 17 +++++
debian/compat | 2
debian/control | 1
debian/rules | 15 +----
man/XvListImageFormats.man | 16 ++---
src/Xv.c | 67 +++++++++++++++++++---
9 files changed, 231 insertions(+), 32 deletions(-)
New commits:
commit ca49d1067d8c4f00a087a7fe641fb59e8b8fcd10
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 22:02:06 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index a627614..9b423d7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxv (2:1.0.9-1) UNRELEASED; urgency=low
+libxv (2:1.0.9-1) unstable; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
@@ -6,7 +6,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low
* Use dpkg-buildflags.
* Use dh_prep instead of dh_clean -k.
- -- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 21:40:31 +0200
+ -- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 22:00:25 +0200
libxv (2:1.0.7-1+deb7u1) wheezy-security; urgency=high
commit eca61eae1fbaff8c71a6aefc02aff42e3784e287
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 22:00:04 2013 +0200
Use dh_prep instead of dh_clean -k.
diff --git a/debian/changelog b/debian/changelog
index f94fcc4..a627614 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low
* Bump debhelper compat level to 7.
* Disable silent build rules.
* Use dpkg-buildflags.
+ * Use dh_prep instead of dh_clean -k.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 21:40:31 +0200
diff --git a/debian/rules b/debian/rules
index c29c781..da20064 100755
--- a/debian/rules
+++ b/debian/rules
@@ -59,7 +59,7 @@ clean: xsfclean
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
dh_installdirs
cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
commit f5f28383e5e8d27c4e5db4a80acf1f4127b616e8
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 21:57:57 2013 +0200
Use dpkg-buildflags.
diff --git a/debian/changelog b/debian/changelog
index 33bc134..f94fcc4 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
* Disable silent build rules.
+ * Use dpkg-buildflags.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 21:40:31 +0200
diff --git a/debian/control b/debian/control
index 375b8b3..e316b2b 100644
--- a/debian/control
+++ b/debian/control
@@ -5,6 +5,7 @@ Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Cyril Brulebois <kibi@debian.org>
Standards-Version: 3.8.3
Build-Depends:
+ dpkg-dev (>= 1.16.1),
debhelper (>= 8.1.3),
libx11-dev (>= 1:0.99.2),
libxext-dev (>= 1:0.99.1),
diff --git a/debian/rules b/debian/rules
index af7574e..c29c781 100755
--- a/debian/rules
+++ b/debian/rules
@@ -14,12 +14,6 @@ DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH)
include debian/xsfbs/xsfbs.mk
-CFLAGS = -Wall -g
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
MAKEFLAGS += -j$(NUMJOBS)
@@ -45,7 +39,7 @@ build-stamp:
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--infodir=\$${prefix}/share/info $(confflags) \
--disable-silent-rules \
- CFLAGS="$(CFLAGS)"
+ $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure)
cd build && $(MAKE)
>$@
commit 447d54ff60c50ab2b616d0237141d969861e623b
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 21:56:58 2013 +0200
Disable silent build rules.
diff --git a/debian/changelog b/debian/changelog
index 14edb7e..33bc134 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
+ * Disable silent build rules.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 21:40:31 +0200
diff --git a/debian/rules b/debian/rules
index 95c8319..af7574e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -44,6 +44,7 @@ build-stamp:
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--infodir=\$${prefix}/share/info $(confflags) \
+ --disable-silent-rules \
CFLAGS="$(CFLAGS)"
cd build && $(MAKE)
>$@
commit 62b36703540d289f6eb2e2fe0bd435b29e2f4440
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 21:46:28 2013 +0200
Bump debhelper compat level to 7.
diff --git a/debian/changelog b/debian/changelog
index 9ed1546..14edb7e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
libxv (2:1.0.9-1) UNRELEASED; urgency=low
* New upstream release.
+ * Bump debhelper compat level to 7.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 21:40:31 +0200
diff --git a/debian/compat b/debian/compat
index 7ed6ff8..7f8f011 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-5
+7
diff --git a/debian/rules b/debian/rules
index 53d6c55..95c8319 100755
--- a/debian/rules
+++ b/debian/rules
@@ -75,8 +75,8 @@ binary-arch: build install
dh_testroot
dh_installdocs
- dh_install --sourcedir=debian/tmp --fail-missing --exclude=libXv.la
- dh_installchangelogs ChangeLog
+ dh_install --fail-missing --exclude=libXv.la
+ dh_installchangelogs
dh_link
dh_strip --dbg-package=$(PACKAGE)-dbg
dh_compress
commit a45ad88b125034851ea040a340d434dd20b66434
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 21:40:42 2013 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index ab6871f..1ddb874 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,135 @@
+commit d58f74ebfd0c56ffeb8e288c65592228af197a2e
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Jun 22 19:06:09 2013 -0700
+
+ libXv 1.0.9
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 22cc0c897a28a41d49fe68277bb3c002f54bbb48
+Author: Daphne Pfister <daphnediane@mac.com>
+Date: Sat Jun 1 22:27:23 2013 -0400
+
+ Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory.
+
+ This patch attempts to fix this bug by ensuring that there is at least one
+ nil byte at the end of all the name strings. This should prevent reading
+ past the end of the allocation as well as exposing uninitialized memory.
+
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit edfb6fc397686c1892603d0f86a9aadf14dbc12e
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Jun 1 17:26:11 2013 -0700
+
+ XvQueryPortAttributes: add a comment explaining memory strategy
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 179ed259e75a62e74532e36f52f3838deb2aac92
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri May 31 17:49:24 2013 -0700
+
+ libXv 1.0.8
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 50fc4cb18069cb9450a02c13f80223ef23511409
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 00:03:03 2013 -0700
+
+ integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
+
+ num_planes is a CARD32 and needs to be bounds checked before bit shifting
+ and adding to sizeof(XvImage) to come up with the total size to allocate,
+ to avoid integer overflow leading to underallocation and writing data from
+ the network past the end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 59301c1b5095f7dc6359d5b396dbbcdee7038270
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 00:03:03 2013 -0700
+
+ integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
+
+ num_formats is a CARD32 and needs to be bounds checked before multiplying
+ by sizeof(XvImageFormatValues) to come up with the total size to allocate,
+ to avoid integer overflow leading to underallocation and writing data from
+ the network past the end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 15ab7dec17d686c38f2c82ac23a17cac5622322a
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 00:16:14 2013 -0700
+
+ buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
+
+ Each attribute returned in the reply includes the number of bytes
+ to read for its marker. We had been always trusting it, and never
+ validating that it wouldn't cause us to write past the end of the
+ buffer we allocated based on the reported text_size.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 6e1b743a276651195be3cd68dff41e38426bf3ab
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 00:03:03 2013 -0700
+
+ integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
+
+ The num_attributes & text_size members of the reply are both CARD32s
+ and need to be bounds checked before multiplying & adding them together
+ to come up with the total size to allocate, to avoid integer overflow
+ leading to underallocation and writing data from the network past the
+ end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 79362c764a6df7e7fbe5247756bdbf60f3a58baf
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 00:28:34 2013 -0700
+
+ Use _XEatDataWords to avoid overflow of rep.length shifting
+
+ rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit ed13edeac5adc2e6afcd87f63b5ae1ff9ad47958
+Author: Colin Walters <walters@verbum.org>
+Date: Wed Jan 4 17:37:06 2012 -0500
+
+ autogen.sh: Implement GNOME Build API
+
+ http://people.gnome.org/~walters/docs/build-api.txt
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit 1006d44b8674b5d9c5d7e893878776fbd34dbed2
+Author: Adam Jackson <ajax@redhat.com>
+Date: Tue Jan 15 14:28:48 2013 -0500
+
+ configure: Remove AM_MAINTAINER_MODE
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit ddec3b412e1d857d1a2daa75df61de377e1de9bd
+Author: Thomas Klausner <wiz@NetBSD.org>
+Date: Tue Jul 17 21:56:28 2012 +0200
+
+ Uppercase SH arguments.
+
+ Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
+ Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
commit 0f4fa1820041394e879517abb49c0391ecc796f7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Mar 7 21:25:38 2012 -0800
diff --git a/debian/changelog b/debian/changelog
index 77ddace..9ed1546 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxv (2:1.0.9-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 21:40:31 +0200
+
libxv (2:1.0.7-1+deb7u1) wheezy-security; urgency=high
* integer overflows calculating memory needs for replies [CVE-2013-1989]
commit d58f74ebfd0c56ffeb8e288c65592228af197a2e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Jun 22 19:06:09 2013 -0700
libXv 1.0.9
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index cc88490..4f8c5f2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXv], [1.0.8],
+AC_INIT([libXv], [1.0.9],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXv])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 22cc0c897a28a41d49fe68277bb3c002f54bbb48
Author: Daphne Pfister <daphnediane@mac.com>
Date: Sat Jun 1 22:27:23 2013 -0400
Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory.
This patch attempts to fix this bug by ensuring that there is at least one
nil byte at the end of all the name strings. This should prevent reading
past the end of the allocation as well as exposing uninitialized memory.
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 15c0bfd..8c45401 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -865,8 +865,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
unsigned long size;
/* limit each part to no more than one half the max size */
if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
- (rep.text_size < (INT_MAX / 2))) {
- size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ (rep.text_size < (INT_MAX / 2)-1)) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1;
ret = Xmalloc(size);
}
@@ -891,6 +891,10 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
(*num)++;
}
+
+ /* ensure final string is nil-terminated to avoid exposure of
+ uninitialized memory */
+ *marker = '\0';
} else
_XEatDataWords(dpy, rep.length);
}
commit edfb6fc397686c1892603d0f86a9aadf14dbc12e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Jun 1 17:26:11 2013 -0700
XvQueryPortAttributes: add a comment explaining memory strategy
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index f268f8e..15c0bfd 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -850,6 +850,17 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
return ret;
}
+ /*
+ * X server sends data packed as:
+ * attribute1, name1, attribute2, name2, ...
+ * We allocate a single buffer large enough to hold them all and
+ * then de-interleave the data so we return it to clients as:
+ * attribute1, attribute2, ..., name1, name2, ...
+ * so that clients may refer to attributes as a simple array of
+ * structs: attributes[0], attributes[1], ...
+ * and free it as a single/simple buffer.
+ */
+
if(rep.num_attributes) {
unsigned long size;
/* limit each part to no more than one half the max size */
commit 179ed259e75a62e74532e36f52f3838deb2aac92
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri May 31 17:49:24 2013 -0700
libXv 1.0.8
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 6a335db..cc88490 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,7 +22,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXv], [1.0.7],
+AC_INIT([libXv], [1.0.8],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXv])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 772a7a1c4dc28505a60608a35bc54f0ada676dc2
Author: Julien Cristau <jcristau@debian.org>
Date: Tue May 14 23:11:35 2013 +0200
Upload to wheezy-security
diff --git a/debian/changelog b/debian/changelog
index 0bd363f..77ddace 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+libxv (2:1.0.7-1+deb7u1) wheezy-security; urgency=high
+
+ * integer overflows calculating memory needs for replies [CVE-2013-1989]
+ * buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
+
+ -- Julien Cristau <jcristau@debian.org> Tue, 14 May 2013 23:08:52 +0200
+
libxv (2:1.0.7-1) unstable; urgency=low
[ Robert Hooker ]
commit e2a6d8ff910ac012dc7cd3b6456ec3ad658f6a1e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
num_planes is a CARD32 and needs to be bounds checked before bit shifting
and adding to sizeof(XvImage) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xv.c b/src/Xv.c
index 0a07d9d..f268f8e 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -992,7 +992,10 @@ XvImage * XvCreateImage (
return NULL;
}
- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) {
+ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage)))
+ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3));
+
+ if (ret != NULL) {
ret->id = id;
ret->width = rep.width;
ret->height = rep.height;
commit e02fba7ae99169326a48461785be9e534c9deea3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xv.c b/src/Xv.c
index f9813eb..0a07d9d 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
}
if(rep.num_formats) {
- int size = (rep.num_formats * sizeof(XvImageFormatValues));
+ if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
xvImageFormatInfo Info;
int i;
commit 3219a1eee1342ac34ea6363abc31499cd47cce3f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:16:14 2013 -0700
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
xvAttributeInfo Info;
int i;
+ /* keep track of remaining room for text strings */
+ size = rep.text_size;
+
for(i = 0; i < rep.num_attributes; i++) {
_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
ret[i].flags = (int)Info.flags;
ret[i].min_value = Info.min;
ret[i].max_value = Info.max;
ret[i].name = marker;
- _XRead(dpy, marker, Info.size);
- marker += Info.size;
+ if (Info.size <= size) {
+ _XRead(dpy, marker, Info.size);
+ marker += Info.size;
+ size -= Info.size;
+ }
(*num)++;
}
} else
commit 6458d0928a359d48fde4f3ef011c6fbfc7925ab7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/Xv.c b/src/Xv.c
index 5be1d95..3cbad35 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
if(rep.num_attributes) {
- int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ unsigned long size;
+ /* limit each part to no more than one half the max size */
+ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
+ (rep.text_size < (INT_MAX / 2))) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ ret = Xmalloc(size);
+ }
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
char* marker = (char*)(&ret[rep.num_attributes]);
xvAttributeInfo Info;
int i;
commit a658f6de385c910764dd778b240d44f0c4225c6d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:28:34 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/configure.ac b/configure.ac
index d3ad5bf..d41eed2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -44,6 +44,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XV_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
XORG_LINT_LIBRARY([Xv])
diff --git a/src/Xv.c b/src/Xv.c
index b081e8a..5be1d95 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -49,11 +49,27 @@ SOFTWARE.
**
*/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include <stdio.h>
#include "Xvlibint.h"
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include <X11/extensions/XShm.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xv_info_data;
static XExtensionInfo *xv_info = &_xv_info_data;
@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
commit 50fc4cb18069cb9450a02c13f80223ef23511409
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
num_planes is a CARD32 and needs to be bounds checked before bit shifting
and adding to sizeof(XvImage) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 0a07d9d..f268f8e 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -992,7 +992,10 @@ XvImage * XvCreateImage (
return NULL;
}
- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) {
+ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage)))
+ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3));
+
+ if (ret != NULL) {
ret->id = id;
ret->width = rep.width;
ret->height = rep.height;
commit 59301c1b5095f7dc6359d5b396dbbcdee7038270
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvListImageFormats() [CVE-2013-1989 2/3]
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index f9813eb..0a07d9d 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
}
if(rep.num_formats) {
- int size = (rep.num_formats * sizeof(XvImageFormatValues));
+ if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
xvImageFormatInfo Info;
int i;
commit 15ab7dec17d686c38f2c82ac23a17cac5622322a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:16:14 2013 -0700
buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
xvAttributeInfo Info;
int i;
+ /* keep track of remaining room for text strings */
+ size = rep.text_size;
+
for(i = 0; i < rep.num_attributes; i++) {
_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
ret[i].flags = (int)Info.flags;
ret[i].min_value = Info.min;
ret[i].max_value = Info.max;
ret[i].name = marker;
- _XRead(dpy, marker, Info.size);
- marker += Info.size;
+ if (Info.size <= size) {
+ _XRead(dpy, marker, Info.size);
+ marker += Info.size;
+ size -= Info.size;
+ }
(*num)++;
}
} else
commit 6e1b743a276651195be3cd68dff41e38426bf3ab
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:03:03 2013 -0700
integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3]
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/Xv.c b/src/Xv.c
index 5be1d95..3cbad35 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
if(rep.num_attributes) {
- int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ unsigned long size;
+ /* limit each part to no more than one half the max size */
+ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
+ (rep.text_size < (INT_MAX / 2))) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ ret = Xmalloc(size);
+ }
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
char* marker = (char*)(&ret[rep.num_attributes]);
xvAttributeInfo Info;
int i;
commit 79362c764a6df7e7fbe5247756bdbf60f3a58baf
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:28:34 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 5494b5d..6a335db 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XV_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
XORG_LINT_LIBRARY([Xv])
diff --git a/src/Xv.c b/src/Xv.c
index b081e8a..5be1d95 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -49,11 +49,27 @@ SOFTWARE.
**
*/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include <stdio.h>
#include "Xvlibint.h"
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include <X11/extensions/XShm.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xv_info_data;
static XExtensionInfo *xv_info = &_xv_info_data;
@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
commit ed13edeac5adc2e6afcd87f63b5ae1ff9ad47958
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit 1006d44b8674b5d9c5d7e893878776fbd34dbed2
Author: Adam Jackson <ajax@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/configure.ac b/configure.ac
index d3ad5bf..5494b5d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,6 @@ AC_CONFIG_HEADERS([config.h])
# Initialize Automake
Reply to: