libxres: Changes to 'refs/tags/libXres-1.2.0-configure.ac'

To: debian-x@lists.debian.org
Subject: libxres: Changes to 'refs/tags/libXres-1.2.0-configure.ac'
From: Drew Parsons <dparsons@moszumanska.debian.org>
Date: Sat, 21 Oct 2017 12:23:19 +0000
Message-id: <[🔎] E1e5soB-0002vU-9J@moszumanska.debian.org>
Rebased ref, commits from common ancestor:
commit 47f8ced17f5ef0a1f1539fd8837cd8f47aa0eb6e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Apr 13 10:34:22 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

diff --git a/configure.ac b/configure.ac
index 5e3703b..b829cc1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -50,6 +50,12 @@ XORG_CHECK_MALLOC_ZERO
 # Obtain compiler/linker options for depedencies
 PKG_CHECK_MODULES(XRES, [x11 >= 1.6] xext xextproto [resourceproto >= 1.2.0])
 
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XRES_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
 AC_CONFIG_FILES([Makefile
 		src/Makefile
 		man/Makefile

commit b51a7b0ccf0d5ccb53fbd5d34ed8fe57603d2604
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu May 30 17:51:12 2013 -0700

    libXres 1.0.7
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

diff --git a/configure.ac b/configure.ac
index 10e47d2..fc92739 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
 # digit in the version number to track changes which don't affect the
 # protocol, so XRes version l.n.m corresponds to protocol version l.n
 #
-AC_INIT([libXres], [1.0.6],
+AC_INIT([libXres], [1.0.7],
         [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXres])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([config.h])

commit ad156a716a324ee60362c8ba66a5ed8c835c219b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 12 23:36:13 2013 -0700

    integer overflow in XResQueryClientResources() [CVE-2013-1988 2/2]
    
    The CARD32 rep.num_types needs to be bounds checked before multiplying
    by sizeof(XResType) to avoid integer overflow leading to underallocation
    and writing data from the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

diff --git a/src/XRes.c b/src/XRes.c
index 5117321..ff21dd4 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -186,7 +186,12 @@ Status XResQueryClientResources (
     }
 
     if(rep.num_types) {
-        if((typs = Xmalloc(sizeof(XResType) * rep.num_types))) {
+        if (rep.num_types < (INT_MAX / sizeof(XResType)))
+            typs = Xmalloc(sizeof(XResType) * rep.num_types);
+        else
+            typs = NULL;
+
+        if (typs != NULL) {
             xXResType scratch;
             int i;
 

commit 3ec2db9eeb9ba8fb561802b0c4b8bf79e321b7a2
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 12 23:36:13 2013 -0700

    integer overflow in XResQueryClients() [CVE-2013-1988 1/2]
    
    The CARD32 rep.num_clients needs to be bounds checked before multiplying
    by sizeof(XResClient) to avoid integer overflow leading to underallocation
    and writing data from the network past the end of the allocated buffer.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

diff --git a/src/XRes.c b/src/XRes.c
index ae86206..5117321 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -129,7 +129,12 @@ Status XResQueryClients (
     }
 
     if(rep.num_clients) {
-        if((clnts = Xmalloc(sizeof(XResClient) * rep.num_clients))) {
+        if (rep.num_clients < (INT_MAX / sizeof(XResClient)))
+            clnts = Xmalloc(sizeof(XResClient) * rep.num_clients);
+        else
+            clnts = NULL;
+
+        if (clnts != NULL) {
             xXResClient scratch;
             int i;
 

commit 95b352b0f4a1ab1bc254e78adbc73cd65223ded4
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Apr 13 10:34:22 2013 -0700

    Use _XEatDataWords to avoid overflow of rep.length shifting
    
    rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

diff --git a/configure.ac b/configure.ac
index bc4e8a6..10e47d2 100644
--- a/configure.ac
+++ b/configure.ac
@@ -55,6 +55,12 @@ RES_VERSION=[`echo $VERSION | sed 's/^\([0-9][0-9]*\.[0-9][0-9]*\).*$/\1/'`]
 # Obtain compiler/linker options for depedencies
 PKG_CHECK_MODULES(XRES, x11 xext xextproto [resourceproto >= $RES_VERSION])
 
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XRES_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
 AC_CONFIG_FILES([Makefile
 		src/Makefile
 		man/Makefile
diff --git a/src/XRes.c b/src/XRes.c
index 6091c96..ae86206 100644
--- a/src/XRes.c
+++ b/src/XRes.c
@@ -12,7 +12,18 @@
 #include <X11/extensions/extutil.h>
 #include <X11/extensions/XResproto.h>
 #include <X11/extensions/XRes.h>
+#include <limits.h>
 
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+    if (n >= (ULONG_MAX >> 2))
+        _XIOError(dpy);
+# endif
+    _XEatData (dpy, n << 2);
+}
+#endif
 
 static XExtensionInfo _xres_ext_info_data;
 static XExtensionInfo *xres_ext_info = &_xres_ext_info_data;
@@ -131,7 +142,7 @@ Status XResQueryClients (
             *num_clients = rep.num_clients;
             result = 1;
         } else {
-            _XEatData(dpy, rep.length << 2);
+            _XEatDataWords(dpy, rep.length);
         }
     }
 
@@ -183,7 +194,7 @@ Status XResQueryClientResources (
             *num_types = rep.num_types;
             result = 1;
         } else {
-            _XEatData(dpy, rep.length << 2);
+            _XEatDataWords(dpy, rep.length);
         }
     }
 

commit d54acff47096cf52a9b8e018a26f7165e1092eb5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Jan 18 23:06:20 2013 -0800

    Replace deprecated Automake INCLUDES variable with AM_CPPFLAGS
    
    Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
    
      - Support for the long-deprecated INCLUDES variable will be removed
        altogether in Automake 1.14.  The AM_CPPFLAGS variable should be
        used instead.
    
    This variable was deprecated in Automake releases prior to 1.10, which is
    the current minimum level required to build X.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    (cherry picked from commit 83e7693515369d57dcd11c2bb1f03563f51bc500)

diff --git a/src/Makefile.am b/src/Makefile.am
index fd508da..bf66d68 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -10,7 +10,7 @@ AM_CFLAGS = \
 	$(XRES_CFLAGS) \
 	$(MALLOC_ZERO_CFLAGS)
 
-INCLUDES = -I$(top_srcdir)/include
+AM_CPPFLAGS = -I$(top_srcdir)/include
 
 libXRes_la_LDFLAGS = -version-number 1:0:0 -no-undefined
Reply to:
Prev by Date: libxres: Changes to 'refs/tags/libXres-1.2.0-configure.ac'
Next by Date: libxres: Changes to 'upstream-unstable'
Previous by thread: libxres: Changes to 'refs/tags/libXres-1.2.0-configure.ac'
Next by thread: Processing of libxres_1.2.0-1exp1_amd64.changes
Index(es):
- Date
- Thread