autogen.sh | 4 +- configure.ac | 9 ++++- src/XF86DGA2.c | 86 +++++++++++++++++++++++++++++++++++++++++++-------------- 3 files changed, 75 insertions(+), 24 deletions(-)
New commits: commit 0f2e21d7e8310cf7bc02bba56884be0e52c061ae Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Thu May 30 18:36:19 2013 -0700 libXxf86dga 1.1.4 Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index 955fa3c..3127c6e 100644 --- a/configure.ac +++ b/configure.ac @@ -1,7 +1,7 @@ # Initialize Autoconf AC_PREREQ([2.60]) -AC_INIT([libXxf86dga], [1.1.3], +AC_INIT([libXxf86dga], [1.1.4], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXxf86dga]) AC_CONFIG_SRCDIR([Makefile.am]) AC_CONFIG_HEADERS(src/config.h) commit a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 12:53:49 2013 -0700 integer overflow in XDGAOpenFramebuffer() rep.length is a CARD32 and should be bounds checked before left shifting to come up with the size to allocate and read from the network, though since both functions take the same size, there should be no way for the buffer to be overflowed in this case. Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 4d13677..9c656e6 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer( return False; } - if(rep.length) { - deviceName = Xmalloc(rep.length << 2); - _XRead(dpy, deviceName, rep.length << 2); + if (rep.length) { + if (rep.length < (INT_MAX >> 2)) { + unsigned long size = rep.length << 2; + deviceName = Xmalloc(size); + _XRead(dpy, deviceName, size); + deviceName[size - 1] = '\0'; + } else + _XEatDataWords(dpy, rep.length); } ret = XDGAMapFramebuffer(screen, deviceName, commit b69d6d51a82b1d1e8c68a233360acb742c879375 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 12:45:41 2013 -0700 buffer overflow in XDGASetMode() [CVE-2013-2000 2/2] When reading the name strings for the mode off the network, we never checked to make sure the length of the name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 90ca918..4d13677 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -444,8 +444,14 @@ XDGASetMode( dev->mode.reserved1 = info.reserved1; dev->mode.reserved2 = info.reserved2; - dev->mode.name = (char*)(&dev[1]); - _XRead(dpy, dev->mode.name, info.name_size); + if (info.name_size > 0 && info.name_size <= size) { + dev->mode.name = (char*)(&dev[1]); + _XRead(dpy, dev->mode.name, info.name_size); + dev->mode.name[info.name_size - 1] = '\0'; + } else { + dev->mode.name = NULL; + _XEatDataWords(dpy, rep.length); + } dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0; dev->data = XDGAGetMappedMemory(screen); commit f89cf306a60facdf102696840bc05acebd7d1772 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 12:38:25 2013 -0700 integer overflow & underflow in XDGASetMode() [CVE-2013-1991 2/2] rep.length is a CARD32 and needs to be bounds checked before bit shifting and subtracting sz_xXDGAModeInfo to come up with the total size to allocate, to avoid integer overflow or underflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index b5145ee..90ca918 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -405,12 +405,15 @@ XDGASetMode( if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { if(rep.length) { xXDGAModeInfo info; - int size; + unsigned long size; - size = rep.length << 2; - size -= sz_xXDGAModeInfo; /* get text size */ + if ((rep.length < (INT_MAX >> 2)) && + (rep.length > (sz_xXDGAModeInfo >> 2))) { + size = rep.length << 2; + size -= sz_xXDGAModeInfo; /* get text size */ - dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size); + dev = Xmalloc(sizeof(XDGADevice) + size); + } if(dev) { _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); @@ -451,6 +454,8 @@ XDGASetMode( dev->data += rep.offset; } /* not sure what to do if the allocation fails */ + else + _XEatDataWords(dpy, rep.length); } } commit 5dcfa6a8cf2df39828da733e5945e730518c27b3 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 12:27:10 2013 -0700 buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2] When reading the name strings for the modes off the network, we never checked to make sure the length of the individual name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 8830266..b5145ee 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes( modes[i].reserved1 = info.reserved1; modes[i].reserved2 = info.reserved2; - _XRead(dpy, offset, info.name_size); - modes[i].name = offset; - offset += info.name_size; + if (info.name_size > 0 && info.name_size <= size) { + _XRead(dpy, offset, info.name_size); + modes[i].name = offset; + modes[i].name[info.name_size - 1] = '\0'; + offset += info.name_size; + size -= info.name_size; + } else { + _XEatData(dpy, info.name_size); + modes[i].name = NULL; + } } *num = rep.number; } else commit f4a8dd63af518640468d82948f450aad4b2b1e6a Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 12:18:57 2013 -0700 integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2] number is a CARD32 and needs to be bounds checked before multiplying by sizeof(XDGAmode) to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index c17c7f1..8830266 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes( if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) { if(rep.length) { xXDGAModeInfo info; - int i, size; + unsigned long size = 0; char *offset; - size = rep.length << 2; - size -= rep.number * sz_xXDGAModeInfo; /* find text size */ - modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size); - offset = (char*)(&modes[rep.number]); /* start of text */ - + if ((rep.length < (INT_MAX >> 2)) && + (rep.number < (INT_MAX / sizeof(XDGAMode)))) { + size = rep.length << 2; + if (size > (rep.number * sz_xXDGAModeInfo)) { + size -= rep.number * sz_xXDGAModeInfo; /* find text size */ + modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size); + offset = (char*)(&modes[rep.number]); /* start of text */ + } + } - if(modes) { + if (modes != NULL) { + unsigned int i; for(i = 0; i < rep.number; i++) { _XRead(dpy, (char*)(&info), sz_xXDGAModeInfo); commit 6fa471be7a005bde97bcb5ca5a17662ea8d32587 Author: Alan Coopersmith <alan.coopersm...@oracle.com> Date: Sat Apr 13 12:05:25 2013 -0700 Use _XEatDataWords to avoid overflow of rep.length shifting rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com> diff --git a/configure.ac b/configure.ac index 0558326..955fa3c 100644 --- a/configure.ac +++ b/configure.ac @@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO # Obtain compiler/linker options for depedencies PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2]) +# Check for _XEatDataWords function that may be patched into older Xlib release +SAVE_LIBS="$LIBS" +LIBS="$XXF86DGA_LIBS" +AC_CHECK_FUNCS([_XEatDataWords]) +LIBS="$SAVE_LIBS" + AC_CONFIG_FILES([Makefile src/Makefile man/Makefile diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 964de18..c17c7f1 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc */ /* THIS IS NOT AN X CONSORTIUM STANDARD */ +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif #ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */ #define INCL_DOS @@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc #include <stdio.h> #include <stdint.h> +#include <limits.h> + +#ifndef HAVE__XEATDATAWORDS +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif /* If you change this, change the Bases[] array below as well */ #define MAX_HEADS 16 @@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes( } *num = rep.number; } else - _XEatData(dpy, rep.length << 2); + _XEatDataWords(dpy, rep.length); } } commit 1e454b8da70e3f125dd512baa5e66f948878f9f5 Author: Colin Walters <walt...@verbum.org> Date: Wed Jan 4 17:37:06 2012 -0500 autogen.sh: Implement GNOME Build API http://people.gnome.org/~walters/docs/build-api.txt Signed-off-by: Adam Jackson <a...@redhat.com> diff --git a/autogen.sh b/autogen.sh index 904cd67..fc34bd5 100755 --- a/autogen.sh +++ b/autogen.sh @@ -9,4 +9,6 @@ cd $srcdir autoreconf -v --install || exit 1 cd $ORIGDIR || exit $? -$srcdir/configure --enable-maintainer-mode "$@" +if test -z "$NOCONFIGURE"; then + $srcdir/configure "$@" +fi commit 968295ede4d96fd40483d97bc4d25ae32d86a9fa Author: Adam Jackson <a...@redhat.com> Date: Tue Jan 15 14:28:48 2013 -0500 configure: Remove AM_MAINTAINER_MODE Signed-off-by: Adam Jackson <a...@redhat.com> diff --git a/configure.ac b/configure.ac index 54585c9..0558326 100644 --- a/configure.ac +++ b/configure.ac @@ -8,7 +8,6 @@ AC_CONFIG_HEADERS(src/config.h) # Initialize Automake AM_INIT_AUTOMAKE([foreign dist-bzip2]) -AM_MAINTAINER_MODE # Initialize libtool AC_PROG_LIBTOOL commit d4f89f7f42484963575b4c7d2fa694051e111e76 Author: Jeremy Huddleston <jerem...@apple.com> Date: Fri Mar 9 02:48:14 2012 -0800 Include <stdint.h> for uintptr_t Found-by: Tinderbox Signed-off-by: Jeremy Huddleston <jerem...@apple.com> diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index 32f455b..964de18 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -21,6 +21,7 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc #include <X11/extensions/extutil.h> #include <stdio.h> +#include <stdint.h> /* If you change this, change the Bases[] array below as well */ #define MAX_HEADS 16 commit 56b5a5887349e9d0e1d28da157fe6441ca691f56 Author: Jeremy Huddleston <jerem...@apple.com> Date: Thu Mar 8 11:49:36 2012 -0800 Build fix when sizeof(off_t) > sizeof(void *) https://trac.macports.org/ticket/33532 Signed-off-by: Jeremy Huddleston <jerem...@apple.com> diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c index e81b486..32f455b 100644 --- a/src/XF86DGA2.c +++ b/src/XF86DGA2.c @@ -928,7 +928,7 @@ DGAMapPhysical( if ((pMap->fd = open(name, O_RDWR)) < 0) return False; pMap->virtual = mmap(NULL, size, PROT_READ | PROT_WRITE, - MAP_FILE | MAP_SHARED, pMap->fd, (off_t)base); + MAP_FILE | MAP_SHARED, pMap->fd, (off_t)(uintptr_t)base); if (pMap->virtual == (void *)-1) return False; mprotect(pMap->virtual, size, PROT_READ | PROT_WRITE); -- To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/e1v8zwa-0006t2...@vasks.debian.org