Commit 233e5746 authored by Natanael Copa's avatar Natanael Copa
Browse files

main/libxvmc: fix CVE-2013-1990,CVE-2013-1999

ref #1931
fixes #1979

(cherry picked from commit dfac4cbe)
(cherry picked from commit 0ec2f93c)

Conflicts:

	main/libxvmc/APKBUILD
parent 4b84d993
From cf1a1dc1b9ca34a29d0471da9389f8eae70ddbd9 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:47:57 -0700
Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length
shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/XvMC.c | 24 ++++++++++++++++++------
2 files changed, 24 insertions(+), 6 deletions(-)
diff --git a/configure.ac b/configure.ac
index b44f80d..f9d59a1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -42,6 +42,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XVMC, x11 xext xv xextproto videoproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XVMC_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Checks for library functions.
AC_CHECK_FUNCS([shmat])
diff --git a/src/XvMC.c b/src/XvMC.c
index 5a4cf0d..b3e97ec 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -16,6 +16,18 @@
#include <sys/time.h>
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xvmc_info_data;
static XExtensionInfo *xvmc_info = &_xvmc_info_data;
@@ -134,7 +146,7 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
surface_info[i].flags = sinfo.flags;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -207,7 +219,7 @@ XvImageFormatValues * XvMCListSubpictureTypes (
ret[i].scanline_order = Info.scanline_order;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -278,7 +290,7 @@ Status _xvmc_create_context (
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -359,7 +371,7 @@ Status _xvmc_create_surface (
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -449,7 +461,7 @@ Status _xvmc_create_subpicture (
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay (dpy);
@@ -579,7 +591,7 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
} else {
- _XEatData(dpy, realSize);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return -1;
--
1.8.2.3
From 2712383813b26475dc6713888414d842be57f8ca Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:50:02 -0700
Subject: [PATCH 2/6] integer overflow in XvMCListSurfaceTypes() [CVE-2013-1990
1/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvMCSurfaceInfo) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XvMC.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/XvMC.c b/src/XvMC.c
index b3e97ec..5d8c2cf 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -123,8 +123,8 @@ XvMCSurfaceInfo * XvMCListSurfaceTypes(Display *dpy, XvPortID port, int *num)
}
if(rep.num > 0) {
- surface_info =
- (XvMCSurfaceInfo*)Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
+ if (rep.num < (INT_MAX / sizeof(XvMCSurfaceInfo)))
+ surface_info = Xmalloc(rep.num * sizeof(XvMCSurfaceInfo));
if(surface_info) {
xvmcSurfaceInfo sinfo;
--
1.8.2.3
From 478d4e5873eeee2ebdce6673e4e3469816ab63b8 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:50:02 -0700
Subject: [PATCH 3/6] integer overflow in XvMCListSubpictureTypes()
[CVE-2013-1990 2/2]
rep.num is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XvMC.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/XvMC.c b/src/XvMC.c
index 5d8c2cf..8d602ec 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -184,8 +184,8 @@ XvImageFormatValues * XvMCListSubpictureTypes (
}
if(rep.num > 0) {
- ret =
- (XvImageFormatValues*)Xmalloc(rep.num * sizeof(XvImageFormatValues));
+ if (rep.num < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num * sizeof(XvImageFormatValues));
if(ret) {
xvImageFormatInfo Info;
--
1.8.2.3
From 5fd871e5f878810f8f8837725d548e07e89577ab Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:50:02 -0700
Subject: [PATCH 4/6] integer overflow in _xvmc_create_*()
rep.length is a CARD32 and should be bounds checked before left-shifting
by 2 bits to come up with the total size to allocate, though in these
cases, no buffer overflow should occur here, since the XRead call is passed
the same rep.length << 2 length argument, but the *priv_count returned to
the caller could be interpreted or used to calculate a larger buffer size
than was actually allocated, leading them to go out of bounds.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XvMC.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/src/XvMC.c b/src/XvMC.c
index 8d602ec..d8bc59d 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -285,7 +285,8 @@ Status _xvmc_create_context (
context->flags = rep.flags_return;
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
@@ -366,7 +367,8 @@ Status _xvmc_create_surface (
}
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
@@ -456,7 +458,8 @@ Status _xvmc_create_subpicture (
subpicture->component_order[3] = rep.component_order[3];
if(rep.length) {
- *priv_data = Xmalloc(rep.length << 2);
+ if (rep.length < (INT_MAX >> 2))
+ *priv_data = Xmalloc(rep.length << 2);
if(*priv_data) {
_XRead(dpy, (char*)(*priv_data), rep.length << 2);
*priv_count = rep.length;
--
1.8.2.3
From e9415ddef2ac81d4139bd32d5e9cda9394a60051 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 01:20:08 -0700
Subject: [PATCH 5/6] Multiple unvalidated assumptions in XvMCGetDRInfo()
[CVE-2013-1999]
The individual string sizes is assumed to not be more than the amount of
data read from the network, and could cause buffer overflow if they are.
The strings returned from the X server are assumed to be null terminated,
and could cause callers to read past the end of the buffer if they are not.
Also be sure to set the returned pointers to NULL, so callers don't try
accessing bad pointers on failure cases.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XvMC.c | 36 +++++++++++++++++++-----------------
1 file changed, 19 insertions(+), 17 deletions(-)
diff --git a/src/XvMC.c b/src/XvMC.c
index d8bc59d..cb42487 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -499,7 +499,6 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
XExtDisplayInfo *info = xvmc_find_display(dpy);
xvmcGetDRInfoReply rep;
xvmcGetDRInfoReq *req;
- char *tmpBuf = NULL;
CARD32 magic;
#ifdef HAVE_SHMAT
@@ -510,6 +509,9 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
here.tz_dsttime = 0;
#endif
+ *name = NULL;
+ *busID = NULL;
+
XvMCCheckExtension (dpy, info, BadImplementation);
LockDisplay (dpy);
@@ -568,31 +570,31 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
#endif
if (rep.length > 0) {
-
- int realSize = rep.length << 2;
-
- tmpBuf = (char *) Xmalloc(realSize);
- if (tmpBuf) {
- *name = (char *) Xmalloc(rep.nameLen);
- if (*name) {
- *busID = (char *) Xmalloc(rep.busIDLen);
- if (! *busID) {
- XFree(*name);
- XFree(tmpBuf);
- }
- } else {
- XFree(tmpBuf);
+ unsigned long realSize = 0;
+ char *tmpBuf = NULL;
+
+ if (rep.length < (INT_MAX >> 2)) {
+ realSize = rep.length << 2;
+ if (realSize >= (rep.nameLen + rep.busIDLen)) {
+ tmpBuf = Xmalloc(realSize);
+ *name = Xmalloc(rep.nameLen);
+ *busID = Xmalloc(rep.busIDLen);
}
}
if (*name && *busID && tmpBuf) {
-
_XRead(dpy, tmpBuf, realSize);
strncpy(*name,tmpBuf,rep.nameLen);
+ name[rep.nameLen - 1] = '\0';
strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
+ busID[rep.busIDLen - 1] = '\0';
XFree(tmpBuf);
-
} else {
+ XFree(*name);
+ *name = NULL;
+ XFree(*busID);
+ *name = NULL;
+ XFree(tmpBuf);
_XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
--
1.8.2.3
From 8c164524d229adb6141fdac8336b3823e7fe1a5d Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Fri, 24 May 2013 14:47:30 +1000
Subject: [PATCH 6/6] Multiple unvalidated patches in CVE-2013-1999
Al Viro pointed out that Debian started segfaulting in Xine for him,
Reported-by: Al Viro
Signed-off-by: Dave Airlie <airlied@redhat.com>
---
src/XvMC.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/src/XvMC.c b/src/XvMC.c
index cb42487..74c8b85 100644
--- a/src/XvMC.c
+++ b/src/XvMC.c
@@ -585,15 +585,15 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
if (*name && *busID && tmpBuf) {
_XRead(dpy, tmpBuf, realSize);
strncpy(*name,tmpBuf,rep.nameLen);
- name[rep.nameLen - 1] = '\0';
+ (*name)[rep.nameLen - 1] = '\0';
strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
- busID[rep.busIDLen - 1] = '\0';
+ (*busID)[rep.busIDLen - 1] = '\0';
XFree(tmpBuf);
} else {
XFree(*name);
*name = NULL;
XFree(*busID);
- *name = NULL;
+ *busID = NULL;
XFree(tmpBuf);
_XEatDataWords(dpy, rep.length);
--
1.8.2.3
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxvmc
pkgver=1.0.6
pkgrel=2
pkgver=1.0.7
pkgrel=1
pkgdesc="X11 Video Motion Compensation extension library"
url="http://xorg.freedesktop.org/"
arch="all"
license="custom"
subpackages="$pkgname-dev"
depends=
makedepends="pkgconfig libxv-dev libxext-dev libx11-dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2"
depends_dev="xproto videoproto libxv-dev libx11-dev libxext-dev"
makedepends="$depends_dev libtool autoconf automake util-macros"
source="http://xorg.freedesktop.org/releases/individual/lib/libXvMC-$pkgver.tar.bz2
0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
0004-integer-overflow-in-_xvmc_create_.patch
0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch
"
_builddir="$srcdir"/libXvMC-$pkgver
prepare() {
cd "$_builddir"
for i in $source; do
case $i in
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
libtoolize --force && aclocal && autoheader && autoconf \
&& automake --add-missing
}
build() {
cd "$srcdir"/libXvMC-$pkgver
cd "$_builddir"
./configure --prefix=/usr --sysconfdir=/etc
make || return 1
}
package() {
cd "$srcdir"/libXvMC-$pkgver
cd "$_builddir"
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la
}
md5sums="bfc7524646f890dfc30dea1d676004a3 libXvMC-1.0.6.tar.bz2"
md5sums="3340c99ff556ea2457b4be47f5cb96fa libXvMC-1.0.7.tar.bz2
839450035994be7232f049c3256967fd 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
c02e3cc2530cd053a2ce47b0627bfdff 0002-integer-overflow-in-XvMCListSurfaceTypes-CVE-2013-19.patch
6a87be93e8e173fb132eb2607abea6eb 0003-integer-overflow-in-XvMCListSubpictureTypes-CVE-2013.patch
4eb70517ff9e5d14ddd676de60a72fd4 0004-integer-overflow-in-_xvmc_create_.patch
0aedb6b617afe07376c243e401b1f417 0005-Multiple-unvalidated-assumptions-in-XvMCGetDRInfo-CV.patch
cbd25dbf846b42f2a5ba9a60f32005f3 0006-Multiple-unvalidated-patches-in-CVE-2013-1999.patch"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment