libxxf86dga: Changes to 'debian-unstable'
ChangeLog | 125 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
autogen.sh | 4 +
configure.ac | 9 +++
debian/changelog | 18 +++++++
debian/compat | 2
debian/control | 1
debian/rules | 15 ++----
src/XF86DGA2.c | 83 +++++++++++++++++++++++++++---------
8 files changed, 223 insertions(+), 34 deletions(-)
New commits:
commit 906a2f9b8aeee7c5f14708d998f0b2fda180b36e
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 23:16:56 2013 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 90b73a0..898c410 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,4 +1,4 @@
-libxxf86dga (2:1.1.4-1) UNRELEASED; urgency=low
+libxxf86dga (2:1.1.4-1) unstable; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
@@ -6,7 +6,7 @@ libxxf86dga (2:1.1.4-1) UNRELEASED; urgency=low
* Use dpkg-buildflags.
* Disable silent build rules.
- -- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 22:36:57 +0200
+ -- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 23:16:53 +0200
libxxf86dga (2:1.1.3-2+deb7u1) wheezy-security; urgency=high
commit e0db7af39dbb531520880735004de839d723254e
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 23:13:48 2013 +0200
Disable silent build rules.
diff --git a/debian/changelog b/debian/changelog
index 1d35fd3..90b73a0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -4,6 +4,7 @@ libxxf86dga (2:1.1.4-1) UNRELEASED; urgency=low
* Bump debhelper compat level to 7.
* Use dh_prep instead of dh_clean -k.
* Use dpkg-buildflags.
+ * Disable silent build rules.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 22:36:57 +0200
diff --git a/debian/rules b/debian/rules
index 43b228e..d8f3eed 100755
--- a/debian/rules
+++ b/debian/rules
@@ -41,6 +41,7 @@ build-stamp: configure $(STAMP_DIR)/genscripts
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--infodir=\$${prefix}/share/info $(confflags) \
+ --disable-silent-rules \
$(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure)
cd build && $(MAKE)
>$@
commit cf00b6086c6dd63af53728f841691759565e61c7
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 23:11:50 2013 +0200
Use dpkg-buildflags.
diff --git a/debian/changelog b/debian/changelog
index 33ce36b..1d35fd3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ libxxf86dga (2:1.1.4-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
* Use dh_prep instead of dh_clean -k.
+ * Use dpkg-buildflags.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 22:36:57 +0200
diff --git a/debian/control b/debian/control
index f84ba77..d9756a4 100644
--- a/debian/control
+++ b/debian/control
@@ -4,6 +4,7 @@ Priority: optional
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
Uploaders: Cyril Brulebois <kibi@debian.org>
Build-Depends:
+ dpkg-dev (>= 1.16.1),
debhelper (>= 8.1.3),
libx11-dev (>= 1:0.99.2),
x11proto-xf86dga-dev (>= 2.0.99.1),
diff --git a/debian/rules b/debian/rules
index ef310fc..43b228e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,12 +12,6 @@ PACKAGE = libxxf86dga1
include debian/xsfbs/xsfbs.mk
-CFLAGS = -Wall -g
-ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS)))
- CFLAGS += -O0
-else
- CFLAGS += -O2
-endif
ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS)))
MAKEFLAGS += -j$(NUMJOBS)
@@ -47,7 +41,7 @@ build-stamp: configure $(STAMP_DIR)/genscripts
../configure --prefix=/usr --mandir=\$${prefix}/share/man \
--libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \
--infodir=\$${prefix}/share/info $(confflags) \
- CFLAGS="$(CFLAGS)"
+ $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure)
cd build && $(MAKE)
>$@
commit 547d8b0b3d337b0302084800b4e37d33e1bfa4d2
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 23:11:02 2013 +0200
Use dh_prep instead of dh_clean -k.
diff --git a/debian/changelog b/debian/changelog
index 7bce453..33ce36b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ libxxf86dga (2:1.1.4-1) UNRELEASED; urgency=low
* New upstream release.
* Bump debhelper compat level to 7.
+ * Use dh_prep instead of dh_clean -k.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 22:36:57 +0200
diff --git a/debian/rules b/debian/rules
index 39c5e5e..ef310fc 100755
--- a/debian/rules
+++ b/debian/rules
@@ -68,7 +68,7 @@ clean: xsfclean
install: build
dh_testdir
dh_testroot
- dh_clean -k
+ dh_prep
dh_installdirs
cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install
commit 518bc33ab0c4d9793cb2f5b583c7504a25f538e8
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 23:08:35 2013 +0200
Bump debhelper compat level to 7.
diff --git a/debian/changelog b/debian/changelog
index 938ffc7..7bce453 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,6 +1,7 @@
libxxf86dga (2:1.1.4-1) UNRELEASED; urgency=low
* New upstream release.
+ * Bump debhelper compat level to 7.
-- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 22:36:57 +0200
diff --git a/debian/compat b/debian/compat
index 7ed6ff8..7f8f011 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-5
+7
diff --git a/debian/rules b/debian/rules
index aa02999..39c5e5e 100755
--- a/debian/rules
+++ b/debian/rules
@@ -77,8 +77,8 @@ binary-arch: build install
dh_testdir
dh_testroot
dh_installdocs
- dh_install --sourcedir=debian/tmp --fail-missing -XlibXxf86dga.la
- dh_installchangelogs ChangeLog
+ dh_install --fail-missing -XlibXxf86dga.la
+ dh_installchangelogs
dh_link
dh_strip --dbg-package=$(PACKAGE)-dbg
dh_compress
commit e89cf3bbc8c7ad7cfad384e36e32de12c0fe94d1
Author: Julien Cristau <jcristau@debian.org>
Date: Mon Aug 12 22:37:05 2013 +0200
Bump changelogs
diff --git a/ChangeLog b/ChangeLog
index fd4d98b..efa04ec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,128 @@
+commit 0f2e21d7e8310cf7bc02bba56884be0e52c061ae
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Thu May 30 18:36:19 2013 -0700
+
+ libXxf86dga 1.1.4
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit a8dc6be3213bc91dec5e25535ef4bad5a9456af0
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 12:53:49 2013 -0700
+
+ integer overflow in XDGAOpenFramebuffer()
+
+ rep.length is a CARD32 and should be bounds checked before left shifting
+ to come up with the size to allocate and read from the network, though
+ since both functions take the same size, there should be no way for the
+ buffer to be overflowed in this case.
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit b69d6d51a82b1d1e8c68a233360acb742c879375
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 12:45:41 2013 -0700
+
+ buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
+
+ When reading the name strings for the mode off the network, we never
+ checked to make sure the length of the name strings didn't overflow
+ the size of the buffer we'd allocated based on the reported rep.length
+ for the total reply size.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit f89cf306a60facdf102696840bc05acebd7d1772
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 12:38:25 2013 -0700
+
+ integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]
+
+ rep.length is a CARD32 and needs to be bounds checked before bit shifting
+ and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
+ to avoid integer overflow or underflow leading to underallocation and
+ writing data from the network past the end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 5dcfa6a8cf2df39828da733e5945e730518c27b3
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 12:27:10 2013 -0700
+
+ buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
+
+ When reading the name strings for the modes off the network, we never
+ checked to make sure the length of the individual name strings didn't
+ overflow the size of the buffer we'd allocated based on the reported
+ rep.length for the total reply size.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit f4a8dd63af518640468d82948f450aad4b2b1e6a
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 12:18:57 2013 -0700
+
+ integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
+
+ number is a CARD32 and needs to be bounds checked before multiplying by
+ sizeof(XDGAmode) to come up with the total size to allocate, to avoid
+ integer overflow leading to underallocation and writing data from the
+ network past the end of the allocated buffer.
+
+ Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 6fa471be7a005bde97bcb5ca5a17662ea8d32587
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat Apr 13 12:05:25 2013 -0700
+
+ Use _XEatDataWords to avoid overflow of rep.length shifting
+
+ rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 1e454b8da70e3f125dd512baa5e66f948878f9f5
+Author: Colin Walters <walters@verbum.org>
+Date: Wed Jan 4 17:37:06 2012 -0500
+
+ autogen.sh: Implement GNOME Build API
+
+ http://people.gnome.org/~walters/docs/build-api.txt
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit 968295ede4d96fd40483d97bc4d25ae32d86a9fa
+Author: Adam Jackson <ajax@redhat.com>
+Date: Tue Jan 15 14:28:48 2013 -0500
+
+ configure: Remove AM_MAINTAINER_MODE
+
+ Signed-off-by: Adam Jackson <ajax@redhat.com>
+
+commit d4f89f7f42484963575b4c7d2fa694051e111e76
+Author: Jeremy Huddleston <jeremyhu@apple.com>
+Date: Fri Mar 9 02:48:14 2012 -0800
+
+ Include <stdint.h> for uintptr_t
+
+ Found-by: Tinderbox
+
+ Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
+
+commit 56b5a5887349e9d0e1d28da157fe6441ca691f56
+Author: Jeremy Huddleston <jeremyhu@apple.com>
+Date: Thu Mar 8 11:49:36 2012 -0800
+
+ Build fix when sizeof(off_t) > sizeof(void *)
+
+ https://trac.macports.org/ticket/33532
+
+ Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
+
commit 3dad5d7c34c5787f0466b9ff50d7c26cd18e37bd
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed Mar 7 21:34:06 2012 -0800
diff --git a/debian/changelog b/debian/changelog
index 3b8551c..938ffc7 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+libxxf86dga (2:1.1.4-1) UNRELEASED; urgency=low
+
+ * New upstream release.
+
+ -- Julien Cristau <jcristau@debian.org> Mon, 12 Aug 2013 22:36:57 +0200
+
libxxf86dga (2:1.1.3-2+deb7u1) wheezy-security; urgency=high
* integer overflows calculating memory needs for replies [CVE-2013-1991]
commit 0f2e21d7e8310cf7bc02bba56884be0e52c061ae
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu May 30 18:36:19 2013 -0700
libXxf86dga 1.1.4
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 955fa3c..3127c6e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXxf86dga], [1.1.3],
+AC_INIT([libXxf86dga], [1.1.4],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXxf86dga])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS(src/config.h)
commit 4825015c94dfaeeb7529986367906086bf1d5c41
Author: Julien Cristau <jcristau@debian.org>
Date: Wed May 15 18:56:27 2013 +0200
Upload to wheezy-security
diff --git a/debian/changelog b/debian/changelog
index 7da34b1..3b8551c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,11 @@
+libxxf86dga (2:1.1.3-2+deb7u1) wheezy-security; urgency=high
+
+ * integer overflows calculating memory needs for replies [CVE-2013-1991]
+ * buffer overflows due to not validating length or offset values in replies
+ [CVE-2013-2000]
+
+ -- Julien Cristau <jcristau@debian.org> Wed, 15 May 2013 18:55:18 +0200
+
libxxf86dga (2:1.1.3-2) unstable; urgency=low
* Pull build fix from upstream for BSD (closes: #671047)
commit 9ebc6176dee7bad0e78f13fa8d5171df07ed4293
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:53:49 2013 -0700
integer overflow in XDGAOpenFramebuffer()
rep.length is a CARD32 and should be bounds checked before left shifting
to come up with the size to allocate and read from the network, though
since both functions take the same size, there should be no way for the
buffer to be overflowed in this case.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 4d13677..9c656e6 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
return False;
}
- if(rep.length) {
- deviceName = Xmalloc(rep.length << 2);
- _XRead(dpy, deviceName, rep.length << 2);
+ if (rep.length) {
+ if (rep.length < (INT_MAX >> 2)) {
+ unsigned long size = rep.length << 2;
+ deviceName = Xmalloc(size);
+ _XRead(dpy, deviceName, size);
+ deviceName[size - 1] = '\0';
+ } else
+ _XEatDataWords(dpy, rep.length);
}
ret = XDGAMapFramebuffer(screen, deviceName,
commit 2147c46853f29439f860114fde7f9617cf3a7449
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:45:41 2013 -0700
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
dev->mode.reserved1 = info.reserved1;
dev->mode.reserved2 = info.reserved2;
- dev->mode.name = (char*)(&dev[1]);
- _XRead(dpy, dev->mode.name, info.name_size);
+ if (info.name_size > 0 && info.name_size <= size) {
+ dev->mode.name = (char*)(&dev[1]);
+ _XRead(dpy, dev->mode.name, info.name_size);
+ dev->mode.name[info.name_size - 1] = '\0';
+ } else {
+ dev->mode.name = NULL;
+ _XEatDataWords(dpy, rep.length);
+ }
dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
dev->data = XDGAGetMappedMemory(screen);
commit 1a9f4506132921b3de3512e03857239d3debd65d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:38:25 2013 -0700
integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]
rep.length is a CARD32 and needs to be bounds checked before bit shifting
and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
to avoid integer overflow or underflow leading to underallocation and
writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index b5145ee..90ca918 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -405,12 +405,15 @@ XDGASetMode(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int size;
+ unsigned long size;
- size = rep.length << 2;
- size -= sz_xXDGAModeInfo; /* get text size */
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.length > (sz_xXDGAModeInfo >> 2))) {
+ size = rep.length << 2;
+ size -= sz_xXDGAModeInfo; /* get text size */
- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
+ dev = Xmalloc(sizeof(XDGADevice) + size);
+ }
if(dev) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
@@ -451,6 +454,8 @@ XDGASetMode(
dev->data += rep.offset;
}
/* not sure what to do if the allocation fails */
+ else
+ _XEatDataWords(dpy, rep.length);
}
}
commit 3824bb711847805ae72d6e29c00ccdcaa27fe936
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:27:10 2013 -0700
buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
When reading the name strings for the modes off the network, we never
checked to make sure the length of the individual name strings didn't
overflow the size of the buffer we'd allocated based on the reported
rep.length for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 8830266..b5145ee 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
modes[i].reserved1 = info.reserved1;
modes[i].reserved2 = info.reserved2;
- _XRead(dpy, offset, info.name_size);
- modes[i].name = offset;
- offset += info.name_size;
+ if (info.name_size > 0 && info.name_size <= size) {
+ _XRead(dpy, offset, info.name_size);
+ modes[i].name = offset;
+ modes[i].name[info.name_size - 1] = '\0';
+ offset += info.name_size;
+ size -= info.name_size;
+ } else {
+ _XEatData(dpy, info.name_size);
+ modes[i].name = NULL;
+ }
}
*num = rep.number;
} else
commit 7b660492996b63665241815382d8faaac7f014d7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:18:57 2013 -0700
integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
number is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XDGAmode) to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index c17c7f1..8830266 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int i, size;
+ unsigned long size = 0;
char *offset;
- size = rep.length << 2;
- size -= rep.number * sz_xXDGAModeInfo; /* find text size */
- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
- offset = (char*)(&modes[rep.number]); /* start of text */
-
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
+ size = rep.length << 2;
+ if (size > (rep.number * sz_xXDGAModeInfo)) {
+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+ offset = (char*)(&modes[rep.number]); /* start of text */
+ }
+ }
- if(modes) {
+ if (modes != NULL) {
+ unsigned int i;
for(i = 0; i < rep.number; i++) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
commit 160d1d35312fd8a315429ce4d78c16ecd61faebe
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:05:25 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/configure.ac b/configure.ac
index 54585c9..755066c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -23,6 +23,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86DGA_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 964de18..c17c7f1 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
*/
/* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
#ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
#define INCL_DOS
@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
#include <stdio.h>
#include <stdint.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
/* If you change this, change the Bases[] array below as well */
#define MAX_HEADS 16
@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes(
}
*num = rep.number;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
commit a8dc6be3213bc91dec5e25535ef4bad5a9456af0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:53:49 2013 -0700
integer overflow in XDGAOpenFramebuffer()
rep.length is a CARD32 and should be bounds checked before left shifting
to come up with the size to allocate and read from the network, though
since both functions take the same size, there should be no way for the
buffer to be overflowed in this case.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 4d13677..9c656e6 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
return False;
}
- if(rep.length) {
- deviceName = Xmalloc(rep.length << 2);
- _XRead(dpy, deviceName, rep.length << 2);
+ if (rep.length) {
+ if (rep.length < (INT_MAX >> 2)) {
+ unsigned long size = rep.length << 2;
+ deviceName = Xmalloc(size);
+ _XRead(dpy, deviceName, size);
+ deviceName[size - 1] = '\0';
+ } else
+ _XEatDataWords(dpy, rep.length);
}
ret = XDGAMapFramebuffer(screen, deviceName,
commit b69d6d51a82b1d1e8c68a233360acb742c879375
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:45:41 2013 -0700
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
dev->mode.reserved1 = info.reserved1;
dev->mode.reserved2 = info.reserved2;
- dev->mode.name = (char*)(&dev[1]);
- _XRead(dpy, dev->mode.name, info.name_size);
+ if (info.name_size > 0 && info.name_size <= size) {
+ dev->mode.name = (char*)(&dev[1]);
+ _XRead(dpy, dev->mode.name, info.name_size);
+ dev->mode.name[info.name_size - 1] = '\0';
+ } else {
+ dev->mode.name = NULL;
+ _XEatDataWords(dpy, rep.length);
+ }
dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
dev->data = XDGAGetMappedMemory(screen);
commit f89cf306a60facdf102696840bc05acebd7d1772
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:38:25 2013 -0700
integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]
rep.length is a CARD32 and needs to be bounds checked before bit shifting
and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
to avoid integer overflow or underflow leading to underallocation and
writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index b5145ee..90ca918 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -405,12 +405,15 @@ XDGASetMode(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int size;
+ unsigned long size;
- size = rep.length << 2;
- size -= sz_xXDGAModeInfo; /* get text size */
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.length > (sz_xXDGAModeInfo >> 2))) {
+ size = rep.length << 2;
+ size -= sz_xXDGAModeInfo; /* get text size */
- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
+ dev = Xmalloc(sizeof(XDGADevice) + size);
+ }
if(dev) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
@@ -451,6 +454,8 @@ XDGASetMode(
dev->data += rep.offset;
}
/* not sure what to do if the allocation fails */
+ else
+ _XEatDataWords(dpy, rep.length);
}
}
commit 5dcfa6a8cf2df39828da733e5945e730518c27b3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:27:10 2013 -0700
buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
When reading the name strings for the modes off the network, we never
checked to make sure the length of the individual name strings didn't
overflow the size of the buffer we'd allocated based on the reported
rep.length for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 8830266..b5145ee 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
modes[i].reserved1 = info.reserved1;
modes[i].reserved2 = info.reserved2;
- _XRead(dpy, offset, info.name_size);
- modes[i].name = offset;
- offset += info.name_size;
+ if (info.name_size > 0 && info.name_size <= size) {
+ _XRead(dpy, offset, info.name_size);
+ modes[i].name = offset;
+ modes[i].name[info.name_size - 1] = '\0';
+ offset += info.name_size;
+ size -= info.name_size;
+ } else {
+ _XEatData(dpy, info.name_size);
+ modes[i].name = NULL;
+ }
}
*num = rep.number;
} else
commit f4a8dd63af518640468d82948f450aad4b2b1e6a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:18:57 2013 -0700
integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
number is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XDGAmode) to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index c17c7f1..8830266 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int i, size;
+ unsigned long size = 0;
char *offset;
- size = rep.length << 2;
- size -= rep.number * sz_xXDGAModeInfo; /* find text size */
- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
- offset = (char*)(&modes[rep.number]); /* start of text */
-
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
+ size = rep.length << 2;
+ if (size > (rep.number * sz_xXDGAModeInfo)) {
+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+ offset = (char*)(&modes[rep.number]); /* start of text */
+ }
+ }
- if(modes) {
+ if (modes != NULL) {
+ unsigned int i;
for(i = 0; i < rep.number; i++) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
commit 6fa471be7a005bde97bcb5ca5a17662ea8d32587
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:05:25 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 0558326..955fa3c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86DGA_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 964de18..c17c7f1 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
*/
/* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
#ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
#define INCL_DOS
@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
#include <stdio.h>
#include <stdint.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
/* If you change this, change the Bases[] array below as well */
#define MAX_HEADS 16
@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes(
}
*num = rep.number;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
commit 1e454b8da70e3f125dd512baa5e66f948878f9f5
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit 968295ede4d96fd40483d97bc4d25ae32d86a9fa
Author: Adam Jackson <ajax@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/configure.ac b/configure.ac
index 54585c9..0558326 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,6 @@ AC_CONFIG_HEADERS(src/config.h)
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
-AM_MAINTAINER_MODE
# Initialize libtool
AC_PROG_LIBTOOL
Reply to: