libxvmc: Changes to 'upstream-unstable'
autogen.sh | 4 ++
configure.ac | 9 +++++-
src/XvMC.c | 79 ++++++++++++++++++++++++++++++++++++-----------------------
3 files changed, 59 insertions(+), 33 deletions(-)
New commits:
commit 1fb06ecf88155452ece93ac309435106f9569d54
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu Jun 13 22:57:03 2013 -0700
libXvMC 1.0.8
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index f9d59a1..7c2a7e0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXvMC], [1.0.7],
+AC_INIT([libXvMC], [1.0.8],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXvMC])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 554200b59e880a1cf36dd244eeb5f330d93499b6
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Jun 1 11:26:15 2013 +0200
avoid overflowing by making nameLen and busIDLen addition overflow
Al Viro pointed this out on lwn: if nameLen + busIDLen overflows, we end
up copying data from outside tmpBuf.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XvMC.c b/src/XvMC.c
index 74c8b85..00ac760 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -573,7 +573,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
unsigned long realSize = 0;
char *tmpBuf = NULL;
- if (rep.length < (INT_MAX >> 2)) {
+ if ((rep.length < (INT_MAX >> 2)) &&
+ /* protect against overflow in strncpy below */
+ (rep.nameLen + rep.busIDLen > rep.nameLen)) {
realSize = rep.length << 2;
if (realSize >= (rep.nameLen + rep.busIDLen)) {
tmpBuf = Xmalloc(realSize);
commit 8c164524d229adb6141fdac8336b3823e7fe1a5d
Author: Dave Airlie <airlied@redhat.com>
Date: Fri May 24 14:47:30 2013 +1000
Multiple unvalidated patches in CVE-2013-1999
Al Viro pointed out that Debian started segfaulting in Xine for him,
Reported-by: Al Viro
Signed-off-by: Dave Airlie <airlied@redhat.com>
diff --git a/src/XvMC.c b/src/XvMC.c
index cb42487..74c8b85 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -585,15 +585,15 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
if (*name && *busID && tmpBuf) {
_XRead(dpy, tmpBuf, realSize);
strncpy(*name,tmpBuf,rep.nameLen);
- name[rep.nameLen - 1] = '\0';
+ (*name)[rep.nameLen - 1] = '\0';
strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
- busID[rep.busIDLen - 1] = '\0';
+ (*busID)[rep.busIDLen - 1] = '\0';
XFree(tmpBuf);
} else {
XFree(*name);
*name = NULL;
XFree(*busID);
- *name = NULL;
+ *busID = NULL;
XFree(tmpBuf);
_XEatDataWords(dpy, rep.length);
commit e9415ddef2ac81d4139bd32d5e9cda9394a60051
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 01:20:08 2013 -0700
Multiple unvalidated assumptions in XvMCGetDRInfo() [CVE-2013-1999]
The individual string sizes is assumed to not be more than the amount of
data read from the network, and could cause buffer overflow if they are.
The strings returned from the X server are assumed to be null terminated,
and could cause callers to read past the end of the buffer if they are not.
Also be sure to set the returned pointers to NULL, so callers don't try
accessing bad pointers on failure cases.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XvMC.c b/src/XvMC.c
index d8bc59d..cb42487 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -499,7 +499,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
XExtDisplayInfo *info = xvmc_find_display(dpy);
xvmcGetDRInfoReply rep;
xvmcGetDRInfoReq *req;
- char *tmpBuf = NULL;
CARD32 magic;
#ifdef HAVE_SHMAT
@@ -510,6 +509,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
here.tz_dsttime = 0;
#endif
+ *name = NULL;
+ *busID = NULL;
+
XvMCCheckExtension (dpy, info, BadImplementation);
LockDisplay (dpy);
@@ -568,31 +570,31 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
#endif
if (rep.length > 0) {
-
- int realSize = rep.length << 2;
-
- tmpBuf = (char *) Xmalloc(realSize);
- if (tmpBuf) {
- *name = (char *) Xmalloc(rep.nameLen);
- if (*name) {
- *busID = (char *) Xmalloc(rep.busIDLen);
- if (! *busID) {
- XFree(*name);
- XFree(tmpBuf);
- }
- } else {
- XFree(tmpBuf);
+ unsigned long realSize = 0;
+ char *tmpBuf = NULL;
+
+ if (rep.length < (INT_MAX >> 2)) {
+ realSize = rep.length << 2;
+ if (realSize >= (rep.nameLen + rep.busIDLen)) {
+ tmpBuf = Xmalloc(realSize);
+ *name = Xmalloc(rep.nameLen);
+ *busID = Xmalloc(rep.busIDLen);
}
}
if (*name && *busID && tmpBuf) {
-
_XRead(dpy, tmpBuf, realSize);
strncpy(*name,tmpBuf,rep.nameLen);
+ name[rep.nameLen - 1] = '\0';
strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
+ busID[rep.busIDLen - 1] = '\0';
XFree(tmpBuf);
-
} else {
+ XFree(*name);
+ *name = NULL;
+ XFree(*busID);
+ *name = NULL;
+ XFree(tmpBuf);
_XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
commit 5fd871e5f878810f8f8837725d548e07e89577ab
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in _xvmc_create_*()
rep.length is a CARD32 and should be bounds checked before left-shifting
by 2 bits to come up with the total size to allocate, though in these
cases, no buffer overflow should occur here, since the XRead call is passed
the same rep.length << 2 length argument, but the *priv_count returned to
the caller could be interpreted or used to calculate a larger buffer size
than was actually allocated, leading them to go out of bounds.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XvMC.c b/src/XvMC.c
index 8d602ec..d8bc59d 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -285,7 +285,8 @@ Status _xvmc_create_context (
context->flags = rep.flags_return;
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
@@ -366,7 +367,8 @@ Status _xvmc_create_surface (
}
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
@@ -456,7 +458,8 @@ Status _xvmc_create_subpicture (
subpicture->component_order[3] = rep.component_order[3];
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
commit 478d4e5873eeee2ebdce6673e4e3469816ab63b8
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in XvMCListSubpictureTypes() [CVE-2013-1990 2/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XvMC.c b/src/XvMC.c
index 5d8c2cf..8d602ec 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -184,8 +184,8 @@ XvImageFormatValues * XvMCListSubpictureTypes (
}
if(rep.num > 0) {
- ret =
- (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues));
+ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues));
if(ret) {
xvImageFormatInfo Info;
commit 2712383813b26475dc6713888414d842be57f8ca
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:50:02 2013 -0700
integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 1/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XvMC.c b/src/XvMC.c
index b3e97ec..5d8c2cf 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
}
if(rep.num > 0) {
- surface_info =
- (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
+ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo)))
+ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
if(surface_info) {
xvmcSurfaceInfo sinfo;
commit cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 00:47:57 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index b44f80d..f9d59a1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XVMC_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Checks for library functions.
AC_CHECK_FUNCS([shmat])
diff --git a/src/XvMC.c b/src/XvMC.c
index 5a4cf0d..b3e97ec 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -16,6 +16,18 @@
#include <sys/time.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xvmc_info_data;
static XExtensionInfo *xvmc_info = &_xvmc_info_data;
@@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
surface_info[i].flags = sinfo.flags;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes (
ret[i].scanline_order = Info.scanline_order;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -278,7 +290,7 @@ Status _xvmc_create_context (
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -359,7 +371,7 @@ Status _xvmc_create_surface (
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -449,7 +461,7 @@ Status _xvmc_create_subpicture (
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
} else {
- _XEatData(dpy, realSize);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return -1;
commit 2fb49b59ff530ea3d0288b1b1ab5ccd046a1213b
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit f2db5efdba40d84493a95a2ffb9bc734b83d8503
Author: Adam Jackson <ajax@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/configure.ac b/configure.ac
index ae7d08b..b44f80d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -28,7 +28,6 @@ AC_CONFIG_HEADERS([config.h])
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
-AM_MAINTAINER_MODE
# Initialize libtool
AC_PROG_LIBTOOL
Reply to: