ChangeLog | 132 +++++++++++++++++++++++++++++++++++++++++++++ autogen.sh | 4 + configure.ac | 9 ++- debian/changelog | 17 +++++ debian/compat | 2 debian/control | 1 debian/rules | 15 +---- man/XvListImageFormats.man | 16 ++--- src/Xv.c | 67 +++++++++++++++++++--- 9 files changed, 231 insertions(+), 32 deletions(-)
New commits: commit ca49d1067d8c4f00a087a7fe641fb59e8b8fcd10 Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:02:06 2013 +0200 Upload to unstable diff --git a/debian/changelog b/debian/changelog index a627614..9b423d7 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -libxv (2:1.0.9-1) UNRELEASED; urgency=low +libxv (2:1.0.9-1) unstable; urgency=low * New upstream release. * Bump debhelper compat level to 7. @@ -6,7 +6,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low * Use dpkg-buildflags. * Use dh_prep instead of dh_clean -k. - -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 21:40:31 +0200 + -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:00:25 +0200 libxv (2:1.0.7-1+deb7u1) wheezy-security; urgency=high commit eca61eae1fbaff8c71a6aefc02aff42e3784e287 Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:00:04 2013 +0200 Use dh_prep instead of dh_clean -k. diff --git a/debian/changelog b/debian/changelog index f94fcc4..a627614 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low * Bump debhelper compat level to 7. * Disable silent build rules. * Use dpkg-buildflags. + * Use dh_prep instead of dh_clean -k. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 21:40:31 +0200 diff --git a/debian/rules b/debian/rules index c29c781..da20064 100755 --- a/debian/rules +++ b/debian/rules @@ -59,7 +59,7 @@ clean: xsfclean install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install commit f5f28383e5e8d27c4e5db4a80acf1f4127b616e8 Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 21:57:57 2013 +0200 Use dpkg-buildflags. diff --git a/debian/changelog b/debian/changelog index 33bc134..f94fcc4 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low * New upstream release. * Bump debhelper compat level to 7. * Disable silent build rules. + * Use dpkg-buildflags. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 21:40:31 +0200 diff --git a/debian/control b/debian/control index 375b8b3..e316b2b 100644 --- a/debian/control +++ b/debian/control @@ -5,6 +5,7 @@ Maintainer: Debian X Strike Force <debian-x@lists.debian.org> Uploaders: Cyril Brulebois <k...@debian.org> Standards-Version: 3.8.3 Build-Depends: + dpkg-dev (>= 1.16.1), debhelper (>= 8.1.3), libx11-dev (>= 1:0.99.2), libxext-dev (>= 1:0.99.1), diff --git a/debian/rules b/debian/rules index af7574e..c29c781 100755 --- a/debian/rules +++ b/debian/rules @@ -14,12 +14,6 @@ DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) include debian/xsfbs/xsfbs.mk -CFLAGS = -Wall -g -ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) MAKEFLAGS += -j$(NUMJOBS) @@ -45,7 +39,7 @@ build-stamp: --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ --infodir=\$${prefix}/share/info $(confflags) \ --disable-silent-rules \ - CFLAGS="$(CFLAGS)" + $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure) cd build && $(MAKE) >$@ commit 447d54ff60c50ab2b616d0237141d969861e623b Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 21:56:58 2013 +0200 Disable silent build rules. diff --git a/debian/changelog b/debian/changelog index 14edb7e..33bc134 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low * New upstream release. * Bump debhelper compat level to 7. + * Disable silent build rules. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 21:40:31 +0200 diff --git a/debian/rules b/debian/rules index 95c8319..af7574e 100755 --- a/debian/rules +++ b/debian/rules @@ -44,6 +44,7 @@ build-stamp: ../configure --prefix=/usr --mandir=\$${prefix}/share/man \ --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ --infodir=\$${prefix}/share/info $(confflags) \ + --disable-silent-rules \ CFLAGS="$(CFLAGS)" cd build && $(MAKE) >$@ commit 62b36703540d289f6eb2e2fe0bd435b29e2f4440 Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 21:46:28 2013 +0200 Bump debhelper compat level to 7. diff --git a/debian/changelog b/debian/changelog index 9ed1546..14edb7e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,7 @@ libxv (2:1.0.9-1) UNRELEASED; urgency=low * New upstream release. + * Bump debhelper compat level to 7. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 21:40:31 +0200 diff --git a/debian/compat b/debian/compat index 7ed6ff8..7f8f011 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -5 +7 diff --git a/debian/rules b/debian/rules index 53d6c55..95c8319 100755 --- a/debian/rules +++ b/debian/rules @@ -75,8 +75,8 @@ binary-arch: build install dh_testroot dh_installdocs - dh_install --sourcedir=debian/tmp --fail-missing --exclude=libXv.la - dh_installchangelogs ChangeLog + dh_install --fail-missing --exclude=libXv.la + dh_installchangelogs dh_link dh_strip --dbg-package=$(PACKAGE)-dbg dh_compress commit a45ad88b125034851ea040a340d434dd20b66434 Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 21:40:42 2013 +0200 Bump changelogs diff --git a/ChangeLog b/ChangeLog index ab6871f..1ddb874 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,135 @@ +commit d58f74ebfd0c56ffeb8e288c65592228af197a2e +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Jun 22 19:06:09 2013 -0700 + + libXv 1.0.9 + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 22cc0c897a28a41d49fe68277bb3c002f54bbb48 +Author: Daphne Pfister <daphnedi...@mac.com> +Date: Sat Jun 1 22:27:23 2013 -0400 + + Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory. + + This patch attempts to fix this bug by ensuring that there is at least one + nil byte at the end of all the name strings. This should prevent reading + past the end of the allocation as well as exposing uninitialized memory. + + Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit edfb6fc397686c1892603d0f86a9aadf14dbc12e +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Jun 1 17:26:11 2013 -0700 + + XvQueryPortAttributes: add a comment explaining memory strategy + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 179ed259e75a62e74532e36f52f3838deb2aac92 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Fri May 31 17:49:24 2013 -0700 + + libXv 1.0.8 + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 50fc4cb18069cb9450a02c13f80223ef23511409 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:03:03 2013 -0700 + + integer overflow in XvCreateImage() [CVE-2013-1989 3/3] + + num_planes is a CARD32 and needs to be bounds checked before bit shifting + and adding to sizeof(XvImage) to come up with the total size to allocate, + to avoid integer overflow leading to underallocation and writing data from + the network past the end of the allocated buffer. + + Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 59301c1b5095f7dc6359d5b396dbbcdee7038270 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:03:03 2013 -0700 + + integer overflow in XvListImageFormats() [CVE-2013-1989 2/3] + + num_formats is a CARD32 and needs to be bounds checked before multiplying + by sizeof(XvImageFormatValues) to come up with the total size to allocate, + to avoid integer overflow leading to underallocation and writing data from + the network past the end of the allocated buffer. + + Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 15ab7dec17d686c38f2c82ac23a17cac5622322a +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:16:14 2013 -0700 + + buffer overflow in XvQueryPortAttributes() [CVE-2013-2066] + + Each attribute returned in the reply includes the number of bytes + to read for its marker. We had been always trusting it, and never + validating that it wouldn't cause us to write past the end of the + buffer we allocated based on the reported text_size. + + Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 6e1b743a276651195be3cd68dff41e38426bf3ab +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:03:03 2013 -0700 + + integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3] + + The num_attributes & text_size members of the reply are both CARD32s + and need to be bounds checked before multiplying & adding them together + to come up with the total size to allocate, to avoid integer overflow + leading to underallocation and writing data from the network past the + end of the allocated buffer. + + Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 79362c764a6df7e7fbe5247756bdbf60f3a58baf +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:28:34 2013 -0700 + + Use _XEatDataWords to avoid overflow of rep.length shifting + + rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit ed13edeac5adc2e6afcd87f63b5ae1ff9ad47958 +Author: Colin Walters <walt...@verbum.org> +Date: Wed Jan 4 17:37:06 2012 -0500 + + autogen.sh: Implement GNOME Build API + + http://people.gnome.org/~walters/docs/build-api.txt + + Signed-off-by: Adam Jackson <a...@redhat.com> + +commit 1006d44b8674b5d9c5d7e893878776fbd34dbed2 +Author: Adam Jackson <a...@redhat.com> +Date: Tue Jan 15 14:28:48 2013 -0500 + + configure: Remove AM_MAINTAINER_MODE + + Signed-off-by: Adam Jackson <a...@redhat.com> + +commit ddec3b412e1d857d1a2daa75df61de377e1de9bd +Author: Thomas Klausner <w...@netbsd.org> +Date: Tue Jul 17 21:56:28 2012 +0200 + + Uppercase SH arguments. + + Signed-off-by: Thomas Klausner <w...@netbsd.org> + Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + commit 0f4fa1820041394e879517abb49c0391ecc796f7 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Wed Mar 7 21:25:38 2012 -0800 diff --git a/debian/changelog b/debian/changelog index 77ddace..9ed1546 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +libxv (2:1.0.9-1) UNRELEASED; urgency=low + + * New upstream release. + + -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 21:40:31 +0200 + libxv (2:1.0.7-1+deb7u1) wheezy-security; urgency=high * integer overflows calculating memory needs for replies [CVE-2013-1989] commit d58f74ebfd0c56ffeb8e288c65592228af197a2e Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Jun 22 19:06:09 2013 -0700 libXv 1.0.9 Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index cc88490..4f8c5f2 100644 --- a/configure.ac +++ b/configure.ac @@ -22,7 +22,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXv], [1.0.8], +AC_INIT([libXv], [1.0.9], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXv]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit 22cc0c897a28a41d49fe68277bb3c002f54bbb48 Author: Daphne Pfister <daphnedi...@mac.com> Date: Sat Jun 1 22:27:23 2013 -0400 Bug 65252: Ensure final name is nil-terminated & none point to uninitialized memory. This patch attempts to fix this bug by ensuring that there is at least one nil byte at the end of all the name strings. This should prevent reading past the end of the allocation as well as exposing uninitialized memory. Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/Xv.c b/src/Xv.c index 15c0bfd..8c45401 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -865,8 +865,8 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) unsigned long size; /* limit each part to no more than one half the max size */ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && - (rep.text_size < (INT_MAX / 2))) { - size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + (rep.text_size < (INT_MAX / 2)-1)) { + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size + 1; ret = Xmalloc(size); } @@ -891,6 +891,10 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) } (*num)++; } + + /* ensure final string is nil-terminated to avoid exposure of + uninitialized memory */ + *marker = '\0'; } else _XEatDataWords(dpy, rep.length); } commit edfb6fc397686c1892603d0f86a9aadf14dbc12e Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Jun 1 17:26:11 2013 -0700 XvQueryPortAttributes: add a comment explaining memory strategy Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/Xv.c b/src/Xv.c index f268f8e..15c0bfd 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -850,6 +850,17 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) return ret; } + /* + * X server sends data packed as: + * attribute1, name1, attribute2, name2, ... + * We allocate a single buffer large enough to hold them all and + * then de-interleave the data so we return it to clients as: + * attribute1, attribute2, ..., name1, name2, ... + * so that clients may refer to attributes as a simple array of + * structs: attributes[0], attributes[1], ... + * and free it as a single/simple buffer. + */ + if(rep.num_attributes) { unsigned long size; /* limit each part to no more than one half the max size */ commit 179ed259e75a62e74532e36f52f3838deb2aac92 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Fri May 31 17:49:24 2013 -0700 libXv 1.0.8 Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index 6a335db..cc88490 100644 --- a/configure.ac +++ b/configure.ac @@ -22,7 +22,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXv], [1.0.7], +AC_INIT([libXv], [1.0.8], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXv]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit 772a7a1c4dc28505a60608a35bc54f0ada676dc2 Author: Julien Cristau <jcris...@debian.org> Date: Tue May 14 23:11:35 2013 +0200 Upload to wheezy-security diff --git a/debian/changelog b/debian/changelog index 0bd363f..77ddace 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libxv (2:1.0.7-1+deb7u1) wheezy-security; urgency=high + + * integer overflows calculating memory needs for replies [CVE-2013-1989] + * buffer overflow in XvQueryPortAttributes() [CVE-2013-2066] + + -- Julien Cristau <jcris...@debian.org> Tue, 14 May 2013 23:08:52 +0200 + libxv (2:1.0.7-1) unstable; urgency=low [ Robert Hooker ] commit e2a6d8ff910ac012dc7cd3b6456ec3ad658f6a1e Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:03:03 2013 -0700 integer overflow in XvCreateImage() [CVE-2013-1989 3/3] num_planes is a CARD32 and needs to be bounds checked before bit shifting and adding to sizeof(XvImage) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> diff --git a/src/Xv.c b/src/Xv.c index 0a07d9d..f268f8e 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -992,7 +992,10 @@ XvImage * XvCreateImage ( return NULL; } - if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { + if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) + ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); + + if (ret != NULL) { ret->id = id; ret->width = rep.width; ret->height = rep.height; commit e02fba7ae99169326a48461785be9e534c9deea3 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:03:03 2013 -0700 integer overflow in XvListImageFormats() [CVE-2013-1989 2/3] num_formats is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvImageFormatValues) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> diff --git a/src/Xv.c b/src/Xv.c index f9813eb..0a07d9d 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats ( } if(rep.num_formats) { - int size = (rep.num_formats * sizeof(XvImageFormatValues)); + if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues))) + ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues)); - if((ret = Xmalloc(size))) { + if (ret != NULL) { xvImageFormatInfo Info; int i; commit 3219a1eee1342ac34ea6363abc31499cd47cce3f Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:16:14 2013 -0700 buffer overflow in XvQueryPortAttributes() [CVE-2013-2066] Each attribute returned in the reply includes the number of bytes to read for its marker. We had been always trusting it, and never validating that it wouldn't cause us to write past the end of the buffer we allocated based on the reported text_size. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> diff --git a/src/Xv.c b/src/Xv.c index 3cbad35..f9813eb 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) xvAttributeInfo Info; int i; + /* keep track of remaining room for text strings */ + size = rep.text_size; + for(i = 0; i < rep.num_attributes; i++) { _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); ret[i].flags = (int)Info.flags; ret[i].min_value = Info.min; ret[i].max_value = Info.max; ret[i].name = marker; - _XRead(dpy, marker, Info.size); - marker += Info.size; + if (Info.size <= size) { + _XRead(dpy, marker, Info.size); + marker += Info.size; + size -= Info.size; + } (*num)++; } } else commit 6458d0928a359d48fde4f3ef011c6fbfc7925ab7 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:03:03 2013 -0700 integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3] The num_attributes & text_size members of the reply are both CARD32s and need to be bounds checked before multiplying & adding them together to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> diff --git a/src/Xv.c b/src/Xv.c index 5be1d95..3cbad35 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) } if(rep.num_attributes) { - int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + unsigned long size; + /* limit each part to no more than one half the max size */ + if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && + (rep.text_size < (INT_MAX / 2))) { + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + ret = Xmalloc(size); + } - if((ret = Xmalloc(size))) { + if (ret != NULL) { char* marker = (char*)(&ret[rep.num_attributes]); xvAttributeInfo Info; int i; commit a658f6de385c910764dd778b240d44f0c4225c6d Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:28:34 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Julien Cristau <jcris...@debian.org> diff --git a/configure.ac b/configure.ac index d3ad5bf..d41eed2 100644 --- a/configure.ac +++ b/configure.ac @@ -44,6 +44,12 @@ XORG_CHECK_MALLOC_ZERO # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto) +# Check for _XEatDataWords function that may be patched into older Xlib release +SAVE_LIBS="$LIBS" +LIBS="$XV_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + # Allow checking code with lint, sparse, etc. XORG_WITH_LINT XORG_LINT_LIBRARY([Xv]) diff --git a/src/Xv.c b/src/Xv.c index b081e8a..5be1d95 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -49,11 +49,27 @@ SOFTWARE. ** */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include <stdio.h> #include "Xvlibint.h" #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> #include <X11/extensions/XShm.h> +#include <limits.h> + +#ifndef HAVE__XEATDATAWORDS +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif static XExtensionInfo _xv_info_data; static XExtensionInfo *xv_info = &_xv_info_data; @@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) (*num)++; } } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay(dpy); @@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats ( (*num)++; } } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay(dpy); @@ -976,7 +992,7 @@ XvImage * XvCreateImage ( _XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2); _XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2); } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); commit 50fc4cb18069cb9450a02c13f80223ef23511409 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:03:03 2013 -0700 integer overflow in XvCreateImage() [CVE-2013-1989 3/3] num_planes is a CARD32 and needs to be bounds checked before bit shifting and adding to sizeof(XvImage) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/Xv.c b/src/Xv.c index 0a07d9d..f268f8e 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -992,7 +992,10 @@ XvImage * XvCreateImage ( return NULL; } - if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) { + if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage))) + ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)); + + if (ret != NULL) { ret->id = id; ret->width = rep.width; ret->height = rep.height; commit 59301c1b5095f7dc6359d5b396dbbcdee7038270 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:03:03 2013 -0700 integer overflow in XvListImageFormats() [CVE-2013-1989 2/3] num_formats is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvImageFormatValues) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/Xv.c b/src/Xv.c index f9813eb..0a07d9d 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats ( } if(rep.num_formats) { - int size = (rep.num_formats * sizeof(XvImageFormatValues)); + if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues))) + ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues)); - if((ret = Xmalloc(size))) { + if (ret != NULL) { xvImageFormatInfo Info; int i; commit 15ab7dec17d686c38f2c82ac23a17cac5622322a Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:16:14 2013 -0700 buffer overflow in XvQueryPortAttributes() [CVE-2013-2066] Each attribute returned in the reply includes the number of bytes to read for its marker. We had been always trusting it, and never validating that it wouldn't cause us to write past the end of the buffer we allocated based on the reported text_size. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/Xv.c b/src/Xv.c index 3cbad35..f9813eb 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) xvAttributeInfo Info; int i; + /* keep track of remaining room for text strings */ + size = rep.text_size; + for(i = 0; i < rep.num_attributes; i++) { _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); ret[i].flags = (int)Info.flags; ret[i].min_value = Info.min; ret[i].max_value = Info.max; ret[i].name = marker; - _XRead(dpy, marker, Info.size); - marker += Info.size; + if (Info.size <= size) { + _XRead(dpy, marker, Info.size); + marker += Info.size; + size -= Info.size; + } (*num)++; } } else commit 6e1b743a276651195be3cd68dff41e38426bf3ab Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:03:03 2013 -0700 integer overflow in XvQueryPortAttributes() [CVE-2013-1989 1/3] The num_attributes & text_size members of the reply are both CARD32s and need to be bounds checked before multiplying & adding them together to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/Xv.c b/src/Xv.c index 5be1d95..3cbad35 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) } if(rep.num_attributes) { - int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + unsigned long size; + /* limit each part to no more than one half the max size */ + if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) && + (rep.text_size < (INT_MAX / 2))) { + size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size; + ret = Xmalloc(size); + } - if((ret = Xmalloc(size))) { + if (ret != NULL) { char* marker = (char*)(&ret[rep.num_attributes]); xvAttributeInfo Info; int i; commit 79362c764a6df7e7fbe5247756bdbf60f3a58baf Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:28:34 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index 5494b5d..6a335db 100644 --- a/configure.ac +++ b/configure.ac @@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto) +# Check for _XEatDataWords function that may be patched into older Xlib release +SAVE_LIBS="$LIBS" +LIBS="$XV_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + # Allow checking code with lint, sparse, etc. XORG_WITH_LINT XORG_LINT_LIBRARY([Xv]) diff --git a/src/Xv.c b/src/Xv.c index b081e8a..5be1d95 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -49,11 +49,27 @@ SOFTWARE. ** */ +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + #include <stdio.h> #include "Xvlibint.h" #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> #include <X11/extensions/XShm.h> +#include <limits.h> + +#ifndef HAVE__XEATDATAWORDS +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif static XExtensionInfo _xv_info_data; static XExtensionInfo *xv_info = &_xv_info_data; @@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) (*num)++; } } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay(dpy); @@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats ( (*num)++; } } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay(dpy); @@ -976,7 +992,7 @@ XvImage * XvCreateImage ( _XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2); _XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2); } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); UnlockDisplay(dpy); SyncHandle(); commit ed13edeac5adc2e6afcd87f63b5ae1ff9ad47958 Author: Colin Walters <walt...@verbum.org> Date: Wed Jan 4 17:37:06 2012 -0500 autogen.sh: Implement GNOME Build API http://people.gnome.org/~walters/docs/build-api.txt Signed-off-by: Adam Jackson <a...@redhat.com> diff --git a/autogen.sh b/autogen.sh index 904cd67..fc34bd5 100755 --- a/autogen.sh +++ b/autogen.sh @@ -9,4 +9,6 @@ cd $srcdir autoreconf -v --install || exit 1 cd $ORIGDIR || exit $? -$srcdir/configure --enable-maintainer-mode "$@" +if test -z "$NOCONFIGURE"; then + $srcdir/configure "$@" +fi commit 1006d44b8674b5d9c5d7e893878776fbd34dbed2 Author: Adam Jackson <a...@redhat.com> Date: Tue Jan 15 14:28:48 2013 -0500 configure: Remove AM_MAINTAINER_MODE Signed-off-by: Adam Jackson <a...@redhat.com> diff --git a/configure.ac b/configure.ac index d3ad5bf..5494b5d 100644 --- a/configure.ac +++ b/configure.ac @@ -29,7 +29,6 @@ AC_CONFIG_HEADERS([config.h]) # Initialize Automake -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1v8ym0-00024t...@vasks.debian.org