libxxf86dga: Changes to 'upstream-unstable'
autogen.sh | 4 +-
configure.ac | 9 ++++-
src/XF86DGA2.c | 86 +++++++++++++++++++++++++++++++++++++++++++--------------
3 files changed, 75 insertions(+), 24 deletions(-)
New commits:
commit 0f2e21d7e8310cf7bc02bba56884be0e52c061ae
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Thu May 30 18:36:19 2013 -0700
libXxf86dga 1.1.4
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 955fa3c..3127c6e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,7 +1,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXxf86dga], [1.1.3],
+AC_INIT([libXxf86dga], [1.1.4],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXxf86dga])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS(src/config.h)
commit a8dc6be3213bc91dec5e25535ef4bad5a9456af0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:53:49 2013 -0700
integer overflow in XDGAOpenFramebuffer()
rep.length is a CARD32 and should be bounds checked before left shifting
to come up with the size to allocate and read from the network, though
since both functions take the same size, there should be no way for the
buffer to be overflowed in this case.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 4d13677..9c656e6 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
return False;
}
- if(rep.length) {
- deviceName = Xmalloc(rep.length << 2);
- _XRead(dpy, deviceName, rep.length << 2);
+ if (rep.length) {
+ if (rep.length < (INT_MAX >> 2)) {
+ unsigned long size = rep.length << 2;
+ deviceName = Xmalloc(size);
+ _XRead(dpy, deviceName, size);
+ deviceName[size - 1] = '\0';
+ } else
+ _XEatDataWords(dpy, rep.length);
}
ret = XDGAMapFramebuffer(screen, deviceName,
commit b69d6d51a82b1d1e8c68a233360acb742c879375
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:45:41 2013 -0700
buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
dev->mode.reserved1 = info.reserved1;
dev->mode.reserved2 = info.reserved2;
- dev->mode.name = (char*)(&dev[1]);
- _XRead(dpy, dev->mode.name, info.name_size);
+ if (info.name_size > 0 && info.name_size <= size) {
+ dev->mode.name = (char*)(&dev[1]);
+ _XRead(dpy, dev->mode.name, info.name_size);
+ dev->mode.name[info.name_size - 1] = '\0';
+ } else {
+ dev->mode.name = NULL;
+ _XEatDataWords(dpy, rep.length);
+ }
dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
dev->data = XDGAGetMappedMemory(screen);
commit f89cf306a60facdf102696840bc05acebd7d1772
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:38:25 2013 -0700
integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2]
rep.length is a CARD32 and needs to be bounds checked before bit shifting
and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
to avoid integer overflow or underflow leading to underallocation and
writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index b5145ee..90ca918 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -405,12 +405,15 @@ XDGASetMode(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int size;
+ unsigned long size;
- size = rep.length << 2;
- size -= sz_xXDGAModeInfo; /* get text size */
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.length > (sz_xXDGAModeInfo >> 2))) {
+ size = rep.length << 2;
+ size -= sz_xXDGAModeInfo; /* get text size */
- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
+ dev = Xmalloc(sizeof(XDGADevice) + size);
+ }
if(dev) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
@@ -451,6 +454,8 @@ XDGASetMode(
dev->data += rep.offset;
}
/* not sure what to do if the allocation fails */
+ else
+ _XEatDataWords(dpy, rep.length);
}
}
commit 5dcfa6a8cf2df39828da733e5945e730518c27b3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:27:10 2013 -0700
buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
When reading the name strings for the modes off the network, we never
checked to make sure the length of the individual name strings didn't
overflow the size of the buffer we'd allocated based on the reported
rep.length for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 8830266..b5145ee 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
modes[i].reserved1 = info.reserved1;
modes[i].reserved2 = info.reserved2;
- _XRead(dpy, offset, info.name_size);
- modes[i].name = offset;
- offset += info.name_size;
+ if (info.name_size > 0 && info.name_size <= size) {
+ _XRead(dpy, offset, info.name_size);
+ modes[i].name = offset;
+ modes[i].name[info.name_size - 1] = '\0';
+ offset += info.name_size;
+ size -= info.name_size;
+ } else {
+ _XEatData(dpy, info.name_size);
+ modes[i].name = NULL;
+ }
}
*num = rep.number;
} else
commit f4a8dd63af518640468d82948f450aad4b2b1e6a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:18:57 2013 -0700
integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
number is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XDGAmode) to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index c17c7f1..8830266 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int i, size;
+ unsigned long size = 0;
char *offset;
- size = rep.length << 2;
- size -= rep.number * sz_xXDGAModeInfo; /* find text size */
- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
- offset = (char*)(&modes[rep.number]); /* start of text */
-
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
+ size = rep.length << 2;
+ if (size > (rep.number * sz_xXDGAModeInfo)) {
+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+ offset = (char*)(&modes[rep.number]); /* start of text */
+ }
+ }
- if(modes) {
+ if (modes != NULL) {
+ unsigned int i;
for(i = 0; i < rep.number; i++) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
commit 6fa471be7a005bde97bcb5ca5a17662ea8d32587
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat Apr 13 12:05:25 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
diff --git a/configure.ac b/configure.ac
index 0558326..955fa3c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86DGA_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 964de18..c17c7f1 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
*/
/* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
#ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
#define INCL_DOS
@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
#include <stdio.h>
#include <stdint.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
/* If you change this, change the Bases[] array below as well */
#define MAX_HEADS 16
@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes(
}
*num = rep.number;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
commit 1e454b8da70e3f125dd512baa5e66f948878f9f5
Author: Colin Walters <walters@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit 968295ede4d96fd40483d97bc4d25ae32d86a9fa
Author: Adam Jackson <ajax@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <ajax@redhat.com>
diff --git a/configure.ac b/configure.ac
index 54585c9..0558326 100644
--- a/configure.ac
+++ b/configure.ac
@@ -8,7 +8,6 @@ AC_CONFIG_HEADERS(src/config.h)
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
-AM_MAINTAINER_MODE
# Initialize libtool
AC_PROG_LIBTOOL
commit d4f89f7f42484963575b4c7d2fa694051e111e76
Author: Jeremy Huddleston <jeremyhu@apple.com>
Date: Fri Mar 9 02:48:14 2012 -0800
Include <stdint.h> for uintptr_t
Found-by: Tinderbox
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 32f455b..964de18 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -21,6 +21,7 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
#include <X11/extensions/extutil.h>
#include <stdio.h>
+#include <stdint.h>
/* If you change this, change the Bases[] array below as well */
#define MAX_HEADS 16
commit 56b5a5887349e9d0e1d28da157fe6441ca691f56
Author: Jeremy Huddleston <jeremyhu@apple.com>
Date: Thu Mar 8 11:49:36 2012 -0800
Build fix when sizeof(off_t) > sizeof(void *)
https://trac.macports.org/ticket/33532
Signed-off-by: Jeremy Huddleston <jeremyhu@apple.com>
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index e81b486..32f455b 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -928,7 +928,7 @@ DGAMapPhysical(
if ((pMap->fd = open(name, O_RDWR)) < 0)
return False;
pMap->virtual = mmap(NULL, size, PROT_READ | PROT_WRITE,
- MAP_FILE | MAP_SHARED, pMap->fd, (off_t)base);
+ MAP_FILE | MAP_SHARED, pMap->fd, (off_t)(uintptr_t)base);
if (pMap->virtual == (void *)-1)
return False;
mprotect(pMap->virtual, size, PROT_READ | PROT_WRITE);
Reply to: