ChangeLog | 122 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ autogen.sh | 4 + configure.ac | 9 +++- debian/changelog | 11 ++++ debian/compat | 2 debian/control | 1 debian/rules | 15 ++---- src/XvMC.c | 79 ++++++++++++++++++++++------------- 8 files changed, 199 insertions(+), 44 deletions(-)
New commits: commit 401bc1887fb14084dabd90f45270d61b0515d168 Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:22:13 2013 +0200 Upload to unstable diff --git a/debian/changelog b/debian/changelog index 9207e2c..b13a9ea 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,4 @@ -libxvmc (2:1.0.8-1) UNRELEASED; urgency=low +libxvmc (2:1.0.8-1) unstable; urgency=low * New upstream release - fixes CVE-2013-1990 and CVE-2013-1999 @@ -7,7 +7,7 @@ libxvmc (2:1.0.8-1) UNRELEASED; urgency=low * Disable silent build rules. * Replace dh_clean -k with dh_prep. - -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:13:15 +0200 + -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:22:00 +0200 libxvmc (2:1.0.7-2) unstable; urgency=low commit c414bd0af46905131cb3d25edea54885b8eb7d6f Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:21:44 2013 +0200 Replace dh_clean -k with dh_prep. diff --git a/debian/changelog b/debian/changelog index 709f68f..9207e2c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -5,6 +5,7 @@ libxvmc (2:1.0.8-1) UNRELEASED; urgency=low * Bump debhelper compat level to 7. * Use dpkg-buildflags. * Disable silent build rules. + * Replace dh_clean -k with dh_prep. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:13:15 +0200 diff --git a/debian/rules b/debian/rules index a01e1e1..8c6b373 100755 --- a/debian/rules +++ b/debian/rules @@ -60,7 +60,7 @@ clean: xsfclean install: build dh_testdir dh_testroot - dh_clean -k + dh_prep dh_installdirs cd build && $(MAKE) DESTDIR=$(CURDIR)/debian/tmp install commit f1623a5d559d5ef54df2a3f8035a1ab4c4705219 Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:17:00 2013 +0200 Disable silent build rules. diff --git a/debian/changelog b/debian/changelog index cb4650f..709f68f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -4,6 +4,7 @@ libxvmc (2:1.0.8-1) UNRELEASED; urgency=low - fixes CVE-2013-1990 and CVE-2013-1999 * Bump debhelper compat level to 7. * Use dpkg-buildflags. + * Disable silent build rules. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:13:15 +0200 diff --git a/debian/rules b/debian/rules index 3111f0d..a01e1e1 100755 --- a/debian/rules +++ b/debian/rules @@ -39,6 +39,7 @@ build-stamp: --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ --sysconfdir=/etc --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info $(confflags) \ + --disable-silent-rules \ $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure) cd build && $(MAKE) >$@ commit e7ad51b4dc561ef605cb969f99a60587f339655d Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:16:13 2013 +0200 Use dpkg-buildflags. diff --git a/debian/changelog b/debian/changelog index 740d1e3..cb4650f 100644 --- a/debian/changelog +++ b/debian/changelog @@ -3,6 +3,7 @@ libxvmc (2:1.0.8-1) UNRELEASED; urgency=low * New upstream release - fixes CVE-2013-1990 and CVE-2013-1999 * Bump debhelper compat level to 7. + * Use dpkg-buildflags. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:13:15 +0200 diff --git a/debian/control b/debian/control index 073a082..cf3c83f 100644 --- a/debian/control +++ b/debian/control @@ -4,6 +4,7 @@ Priority: optional Maintainer: Debian X Strike Force <debian-x@lists.debian.org> Uploaders: Drew Parsons <dpars...@debian.org>, Cyril Brulebois <k...@debian.org> Build-Depends: + dpkg-dev (>= 1.16.1), debhelper (>= 8.1.3), libx11-dev (>= 1:0.99.2), libxext-dev (>= 1:0.99.1), diff --git a/debian/rules b/debian/rules index 17737f7..3111f0d 100755 --- a/debian/rules +++ b/debian/rules @@ -14,12 +14,6 @@ DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) include debian/xsfbs/xsfbs.mk -CFLAGS = -Wall -g -ifneq (,$(filter noopt,$(DEB_BUILD_OPTIONS))) - CFLAGS += -O0 -else - CFLAGS += -O2 -endif ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) MAKEFLAGS += -j$(NUMJOBS) @@ -45,7 +39,7 @@ build-stamp: --libdir=\$${prefix}/lib/$(DEB_HOST_MULTIARCH) \ --sysconfdir=/etc --mandir=\$${prefix}/share/man \ --infodir=\$${prefix}/share/info $(confflags) \ - CFLAGS="$(CFLAGS)" + $(shell DEB_CFLAGS_MAINT_APPEND=-Wall dpkg-buildflags --export=configure) cd build && $(MAKE) >$@ commit c5b64ceb90a86cb6da3c400d9a8c258a14d9ed3d Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:14:53 2013 +0200 Bump debhelper compat level to 7. diff --git a/debian/changelog b/debian/changelog index ebb0e3a..740d1e3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,6 +2,7 @@ libxvmc (2:1.0.8-1) UNRELEASED; urgency=low * New upstream release - fixes CVE-2013-1990 and CVE-2013-1999 + * Bump debhelper compat level to 7. -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:13:15 +0200 diff --git a/debian/compat b/debian/compat index 7ed6ff8..7f8f011 100644 --- a/debian/compat +++ b/debian/compat @@ -1 +1 @@ -5 +7 diff --git a/debian/rules b/debian/rules index 4f04ac4..17737f7 100755 --- a/debian/rules +++ b/debian/rules @@ -78,8 +78,8 @@ binary-arch: build install dh_testroot dh_installdocs - dh_install --sourcedir=debian/tmp --fail-missing --exclude=.la - dh_installchangelogs ChangeLog + dh_install --fail-missing --exclude=.la + dh_installchangelogs dh_link dh_strip --dbg-package=$(PACKAGE)-dbg dh_compress commit c949baa59696d34ef24164b48f37304045527b2f Author: Julien Cristau <jcris...@debian.org> Date: Mon Aug 12 22:13:46 2013 +0200 Bump changelogs diff --git a/ChangeLog b/ChangeLog index 7beaae4..d445503 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,125 @@ +commit 1fb06ecf88155452ece93ac309435106f9569d54 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Thu Jun 13 22:57:03 2013 -0700 + + libXvMC 1.0.8 + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 554200b59e880a1cf36dd244eeb5f330d93499b6 +Author: Julien Cristau <jcris...@debian.org> +Date: Sat Jun 1 11:26:15 2013 +0200 + + avoid overflowing by making nameLen and busIDLen addition overflow + + Al Viro pointed this out on lwn: if nameLen + busIDLen overflows, we end + up copying data from outside tmpBuf. + + Reported-by: Al Viro <v...@zeniv.linux.org.uk> + Signed-off-by: Julien Cristau <jcris...@debian.org> + Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 8c164524d229adb6141fdac8336b3823e7fe1a5d +Author: Dave Airlie <airl...@redhat.com> +Date: Fri May 24 14:47:30 2013 +1000 + + Multiple unvalidated patches in CVE-2013-1999 + + Al Viro pointed out that Debian started segfaulting in Xine for him, + + Reported-by: Al Viro + Signed-off-by: Dave Airlie <airl...@redhat.com> + +commit e9415ddef2ac81d4139bd32d5e9cda9394a60051 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 01:20:08 2013 -0700 + + Multiple unvalidated assumptions in XvMCGetDRInfo() [CVE-2013-1999] + + The individual string sizes is assumed to not be more than the amount of + data read from the network, and could cause buffer overflow if they are. + + The strings returned from the X server are assumed to be null terminated, + and could cause callers to read past the end of the buffer if they are not. + + Also be sure to set the returned pointers to NULL, so callers don't try + accessing bad pointers on failure cases. + + Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 5fd871e5f878810f8f8837725d548e07e89577ab +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:50:02 2013 -0700 + + integer overflow in _xvmc_create_*() + + rep.length is a CARD32 and should be bounds checked before left-shifting + by 2 bits to come up with the total size to allocate, though in these + cases, no buffer overflow should occur here, since the XRead call is passed + the same rep.length << 2 length argument, but the *priv_count returned to + the caller could be interpreted or used to calculate a larger buffer size + than was actually allocated, leading them to go out of bounds. + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 478d4e5873eeee2ebdce6673e4e3469816ab63b8 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:50:02 2013 -0700 + + integer overflow in XvMCListSubpictureTypes() [CVE-2013-1990 2/2] + + rep.num is a CARD32 and needs to be bounds checked before multiplying by + sizeof(XvImageFormatValues) to come up with the total size to allocate, + to avoid integer overflow leading to underallocation and writing data from + the network past the end of the allocated buffer. + + Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 2712383813b26475dc6713888414d842be57f8ca +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:50:02 2013 -0700 + + integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 1/2] + + rep.num is a CARD32 and needs to be bounds checked before multiplying + by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate, + to avoid integer overflow leading to underallocation and writing data from + the network past the end of the allocated buffer. + + Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 +Author: Alan Coopersmith <alan.coopersm...@oracle.com> +Date: Sat Apr 13 00:47:57 2013 -0700 + + Use _XEatDataWords to avoid overflow of rep.length shifting + + rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds + + Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> + +commit 2fb49b59ff530ea3d0288b1b1ab5ccd046a1213b +Author: Colin Walters <walt...@verbum.org> +Date: Wed Jan 4 17:37:06 2012 -0500 + + autogen.sh: Implement GNOME Build API + + http://people.gnome.org/~walters/docs/build-api.txt + + Signed-off-by: Adam Jackson <a...@redhat.com> + +commit f2db5efdba40d84493a95a2ffb9bc734b83d8503 +Author: Adam Jackson <a...@redhat.com> +Date: Tue Jan 15 14:28:48 2013 -0500 + + configure: Remove AM_MAINTAINER_MODE + + Signed-off-by: Adam Jackson <a...@redhat.com> + commit bcc4c4f3b7ad3c880e97f27951c97cb7ba856658 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Wed Mar 7 21:31:11 2012 -0800 diff --git a/debian/changelog b/debian/changelog index 3f2d548..ebb0e3a 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libxvmc (2:1.0.8-1) UNRELEASED; urgency=low + + * New upstream release + - fixes CVE-2013-1990 and CVE-2013-1999 + + -- Julien Cristau <jcris...@debian.org> Mon, 12 Aug 2013 22:13:15 +0200 + libxvmc (2:1.0.7-2) unstable; urgency=low * Team upload. commit 1fb06ecf88155452ece93ac309435106f9569d54 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Thu Jun 13 22:57:03 2013 -0700 libXvMC 1.0.8 Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index f9d59a1..7c2a7e0 100644 --- a/configure.ac +++ b/configure.ac @@ -21,7 +21,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXvMC], [1.0.7], +AC_INIT([libXvMC], [1.0.8], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXvMC]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS([config.h]) commit 554200b59e880a1cf36dd244eeb5f330d93499b6 Author: Julien Cristau <jcris...@debian.org> Date: Sat Jun 1 11:26:15 2013 +0200 avoid overflowing by making nameLen and busIDLen addition overflow Al Viro pointed this out on lwn: if nameLen + busIDLen overflows, we end up copying data from outside tmpBuf. Reported-by: Al Viro <v...@zeniv.linux.org.uk> Signed-off-by: Julien Cristau <jcris...@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XvMC.c b/src/XvMC.c index 74c8b85..00ac760 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -573,7 +573,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, unsigned long realSize = 0; char *tmpBuf = NULL; - if (rep.length < (INT_MAX >> 2)) { + if ((rep.length < (INT_MAX >> 2)) && + /* protect against overflow in strncpy below */ + (rep.nameLen + rep.busIDLen > rep.nameLen)) { realSize = rep.length << 2; if (realSize >= (rep.nameLen + rep.busIDLen)) { tmpBuf = Xmalloc(realSize); commit 8c164524d229adb6141fdac8336b3823e7fe1a5d Author: Dave Airlie <airl...@redhat.com> Date: Fri May 24 14:47:30 2013 +1000 Multiple unvalidated patches in CVE-2013-1999 Al Viro pointed out that Debian started segfaulting in Xine for him, Reported-by: Al Viro Signed-off-by: Dave Airlie <airl...@redhat.com> diff --git a/src/XvMC.c b/src/XvMC.c index cb42487..74c8b85 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -585,15 +585,15 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, if (*name && *busID && tmpBuf) { _XRead(dpy, tmpBuf, realSize); strncpy(*name,tmpBuf,rep.nameLen); - name[rep.nameLen - 1] = '\0'; + (*name)[rep.nameLen - 1] = '\0'; strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); - busID[rep.busIDLen - 1] = '\0'; + (*busID)[rep.busIDLen - 1] = '\0'; XFree(tmpBuf); } else { XFree(*name); *name = NULL; XFree(*busID); - *name = NULL; + *busID = NULL; XFree(tmpBuf); _XEatDataWords(dpy, rep.length); commit e9415ddef2ac81d4139bd32d5e9cda9394a60051 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 01:20:08 2013 -0700 Multiple unvalidated assumptions in XvMCGetDRInfo() [CVE-2013-1999] The individual string sizes is assumed to not be more than the amount of data read from the network, and could cause buffer overflow if they are. The strings returned from the X server are assumed to be null terminated, and could cause callers to read past the end of the buffer if they are not. Also be sure to set the returned pointers to NULL, so callers don't try accessing bad pointers on failure cases. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XvMC.c b/src/XvMC.c index d8bc59d..cb42487 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -499,7 +499,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, XExtDisplayInfo *info = xvmc_find_display(dpy); xvmcGetDRInfoReply rep; xvmcGetDRInfoReq *req; - char *tmpBuf = NULL; CARD32 magic; #ifdef HAVE_SHMAT @@ -510,6 +509,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, here.tz_dsttime = 0; #endif + *name = NULL; + *busID = NULL; + XvMCCheckExtension (dpy, info, BadImplementation); LockDisplay (dpy); @@ -568,31 +570,31 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, #endif if (rep.length > 0) { - - int realSize = rep.length << 2; - - tmpBuf = (char *) Xmalloc(realSize); - if (tmpBuf) { - *name = (char *) Xmalloc(rep.nameLen); - if (*name) { - *busID = (char *) Xmalloc(rep.busIDLen); - if (! *busID) { - XFree(*name); - XFree(tmpBuf); - } - } else { - XFree(tmpBuf); + unsigned long realSize = 0; + char *tmpBuf = NULL; + + if (rep.length < (INT_MAX >> 2)) { + realSize = rep.length << 2; + if (realSize >= (rep.nameLen + rep.busIDLen)) { + tmpBuf = Xmalloc(realSize); + *name = Xmalloc(rep.nameLen); + *busID = Xmalloc(rep.busIDLen); } } if (*name && *busID && tmpBuf) { - _XRead(dpy, tmpBuf, realSize); strncpy(*name,tmpBuf,rep.nameLen); + name[rep.nameLen - 1] = '\0'; strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen); + busID[rep.busIDLen - 1] = '\0'; XFree(tmpBuf); - } else { + XFree(*name); + *name = NULL; + XFree(*busID); + *name = NULL; + XFree(tmpBuf); _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); commit 5fd871e5f878810f8f8837725d548e07e89577ab Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:50:02 2013 -0700 integer overflow in _xvmc_create_*() rep.length is a CARD32 and should be bounds checked before left-shifting by 2 bits to come up with the total size to allocate, though in these cases, no buffer overflow should occur here, since the XRead call is passed the same rep.length << 2 length argument, but the *priv_count returned to the caller could be interpreted or used to calculate a larger buffer size than was actually allocated, leading them to go out of bounds. Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XvMC.c b/src/XvMC.c index 8d602ec..d8bc59d 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -285,7 +285,8 @@ Status _xvmc_create_context ( context->flags = rep.flags_return; if(rep.length) { - *priv_data = Xmalloc(rep.length << 2); + if (rep.length < (INT_MAX >> 2)) + *priv_data = Xmalloc(rep.length << 2); if(*priv_data) { _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; @@ -366,7 +367,8 @@ Status _xvmc_create_surface ( } if(rep.length) { - *priv_data = Xmalloc(rep.length << 2); + if (rep.length < (INT_MAX >> 2)) + *priv_data = Xmalloc(rep.length << 2); if(*priv_data) { _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; @@ -456,7 +458,8 @@ Status _xvmc_create_subpicture ( subpicture->component_order[3] = rep.component_order[3]; if(rep.length) { - *priv_data = Xmalloc(rep.length << 2); + if (rep.length < (INT_MAX >> 2)) + *priv_data = Xmalloc(rep.length << 2); if(*priv_data) { _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; commit 478d4e5873eeee2ebdce6673e4e3469816ab63b8 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:50:02 2013 -0700 integer overflow in XvMCListSubpictureTypes() [CVE-2013-1990 2/2] rep.num is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvImageFormatValues) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XvMC.c b/src/XvMC.c index 5d8c2cf..8d602ec 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -184,8 +184,8 @@ XvImageFormatValues * XvMCListSubpictureTypes ( } if(rep.num > 0) { - ret = - (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues)); + if (rep.num < (INT_MAX / sizeof(XvImageFormatValues))) + ret = Xmalloc(rep.num * sizeof(XvImageFormatValues)); if(ret) { xvImageFormatInfo Info; commit 2712383813b26475dc6713888414d842be57f8ca Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:50:02 2013 -0700 integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990 1/2] rep.num is a CARD32 and needs to be bounds checked before multiplying by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XvMC.c b/src/XvMC.c index b3e97ec..5d8c2cf 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num) } if(rep.num > 0) { - surface_info = - (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); + if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo))) + surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo)); if(surface_info) { xvmcSurfaceInfo sinfo; commit cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 00:47:57 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index b44f80d..f9d59a1 100644 --- a/configure.ac +++ b/configure.ac @@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto) +# Check for _XEatDataWords function that may be patched into older Xlib release +SAVE_LIBS="$LIBS" +LIBS="$XVMC_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + # Checks for library functions. AC_CHECK_FUNCS([shmat]) diff --git a/src/XvMC.c b/src/XvMC.c index 5a4cf0d..b3e97ec 100644 --- a/src/XvMC.c +++ b/src/XvMC.c @@ -16,6 +16,18 @@ #include <sys/time.h> #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> +#include <limits.h> + +#ifndef HAVE__XEATDATAWORDS +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif static XExtensionInfo _xvmc_info_data; static XExtensionInfo *xvmc_info = &_xvmc_info_data; @@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num) surface_info[i].flags = sinfo.flags; } } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); @@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes ( ret[i].scanline_order = Info.scanline_order; } } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); @@ -278,7 +290,7 @@ Status _xvmc_create_context ( _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); @@ -359,7 +371,7 @@ Status _xvmc_create_surface ( _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); @@ -449,7 +461,7 @@ Status _xvmc_create_subpicture ( _XRead(dpy, (char*)(*priv_data), rep.length << 2); *priv_count = rep.length; } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } UnlockDisplay (dpy); @@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port, } else { - _XEatData(dpy, realSize); + _XEatDataWords(dpy, rep.length); UnlockDisplay (dpy); SyncHandle (); return -1; commit 2fb49b59ff530ea3d0288b1b1ab5ccd046a1213b Author: Colin Walters <walt...@verbum.org> Date: Wed Jan 4 17:37:06 2012 -0500 autogen.sh: Implement GNOME Build API http://people.gnome.org/~walters/docs/build-api.txt Signed-off-by: Adam Jackson <a...@redhat.com> diff --git a/autogen.sh b/autogen.sh index 904cd67..fc34bd5 100755 --- a/autogen.sh +++ b/autogen.sh @@ -9,4 +9,6 @@ cd $srcdir autoreconf -v --install || exit 1 cd $ORIGDIR || exit $? -$srcdir/configure --enable-maintainer-mode "$@" +if test -z "$NOCONFIGURE"; then + $srcdir/configure "$@" +fi commit f2db5efdba40d84493a95a2ffb9bc734b83d8503 Author: Adam Jackson <a...@redhat.com> Date: Tue Jan 15 14:28:48 2013 -0500 configure: Remove AM_MAINTAINER_MODE Signed-off-by: Adam Jackson <a...@redhat.com> diff --git a/configure.ac b/configure.ac index ae7d08b..b44f80d 100644 --- a/configure.ac +++ b/configure.ac @@ -28,7 +28,6 @@ AC_CONFIG_HEADERS([config.h]) # Initialize Automake AM_INIT_AUTOMAKE([foreign dist-bzip2]) -AM_MAINTAINER_MODE # Initialize libtool AC_PROG_LIBTOOL -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1v8yev-0004u6...@vasks.debian.org