Commit a2e6a170 authored by Natanael Copa's avatar Natanael Copa

main/libxv: upgrade to 1.0.8

parent a9923133
From 79362c764a6df7e7fbe5247756bdbf60f3a58baf Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:28:34 -0700
Subject: [PATCH 1/5] Use _XEatDataWords to avoid overflow of rep.length
shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/Xv.c | 22 +++++++++++++++++++---
2 files changed, 25 insertions(+), 3 deletions(-)
diff --git a/configure.ac b/configure.ac
index 5494b5d..6a335db 100644
--- a/configure.ac
+++ b/configure.ac
@@ -43,6 +43,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XV, x11 xext xextproto videoproto)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XV_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
# Allow checking code with lint, sparse, etc.
XORG_WITH_LINT
XORG_LINT_LIBRARY([Xv])
diff --git a/src/Xv.c b/src/Xv.c
index b081e8a..5be1d95 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -49,11 +49,27 @@ SOFTWARE.
**
*/
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
#include <stdio.h>
#include "Xvlibint.h"
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include <X11/extensions/XShm.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
static XExtensionInfo _xv_info_data;
static XExtensionInfo *xv_info = &_xv_info_data;
@@ -853,7 +869,7 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -923,7 +939,7 @@ XvImageFormatValues * XvListImageFormats (
(*num)++;
}
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);
@@ -976,7 +992,7 @@ XvImage * XvCreateImage (
_XRead(dpy, (char*)(ret->pitches), rep.num_planes << 2);
_XRead(dpy, (char*)(ret->offsets), rep.num_planes << 2);
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay(dpy);
SyncHandle();
--
1.8.2.3
From 6e1b743a276651195be3cd68dff41e38426bf3ab Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:03:03 -0700
Subject: [PATCH 2/5] integer overflow in XvQueryPortAttributes()
[CVE-2013-1989 1/3]
The num_attributes & text_size members of the reply are both CARD32s
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/Xv.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/Xv.c b/src/Xv.c
index 5be1d95..3cbad35 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -851,9 +851,15 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
}
if(rep.num_attributes) {
- int size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ unsigned long size;
+ /* limit each part to no more than one half the max size */
+ if ((rep.num_attributes < ((INT_MAX / 2) / sizeof(XvAttribute))) &&
+ (rep.text_size < (INT_MAX / 2))) {
+ size = (rep.num_attributes * sizeof(XvAttribute)) + rep.text_size;
+ ret = Xmalloc(size);
+ }
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
char* marker = (char*)(&ret[rep.num_attributes]);
xvAttributeInfo Info;
int i;
--
1.8.2.3
From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:16:14 -0700
Subject: [PATCH 3/5] buffer overflow in XvQueryPortAttributes()
[CVE-2013-2066]
Each attribute returned in the reply includes the number of bytes
to read for its marker. We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/Xv.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
xvAttributeInfo Info;
int i;
+ /* keep track of remaining room for text strings */
+ size = rep.text_size;
+
for(i = 0; i < rep.num_attributes; i++) {
_XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
ret[i].flags = (int)Info.flags;
ret[i].min_value = Info.min;
ret[i].max_value = Info.max;
ret[i].name = marker;
- _XRead(dpy, marker, Info.size);
- marker += Info.size;
+ if (Info.size <= size) {
+ _XRead(dpy, marker, Info.size);
+ marker += Info.size;
+ size -= Info.size;
+ }
(*num)++;
}
} else
--
1.8.2.3
From 59301c1b5095f7dc6359d5b396dbbcdee7038270 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:03:03 -0700
Subject: [PATCH 4/5] integer overflow in XvListImageFormats() [CVE-2013-1989
2/3]
num_formats is a CARD32 and needs to be bounds checked before multiplying
by sizeof(XvImageFormatValues) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/Xv.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/src/Xv.c b/src/Xv.c
index f9813eb..0a07d9d 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -918,9 +918,10 @@ XvImageFormatValues * XvListImageFormats (
}
if(rep.num_formats) {
- int size = (rep.num_formats * sizeof(XvImageFormatValues));
+ if (rep.num_formats < (INT_MAX / sizeof(XvImageFormatValues)))
+ ret = Xmalloc(rep.num_formats * sizeof(XvImageFormatValues));
- if((ret = Xmalloc(size))) {
+ if (ret != NULL) {
xvImageFormatInfo Info;
int i;
--
1.8.2.3
From 50fc4cb18069cb9450a02c13f80223ef23511409 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:03:03 -0700
Subject: [PATCH 5/5] integer overflow in XvCreateImage() [CVE-2013-1989 3/3]
num_planes is a CARD32 and needs to be bounds checked before bit shifting
and adding to sizeof(XvImage) to come up with the total size to allocate,
to avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/Xv.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/src/Xv.c b/src/Xv.c
index 0a07d9d..f268f8e 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -992,7 +992,10 @@ XvImage * XvCreateImage (
return NULL;
}
- if((ret = (XvImage*)Xmalloc(sizeof(XvImage) + (rep.num_planes << 3)))) {
+ if (rep.num_planes < ((INT_MAX >> 3) - sizeof(XvImage)))
+ ret = Xmalloc(sizeof(XvImage) + (rep.num_planes << 3));
+
+ if (ret != NULL) {
ret->id = id;
ret->width = rep.width;
ret->height = rep.height;
--
1.8.2.3
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxv
pkgver=1.0.7
pkgrel=1
pkgver=1.0.8
pkgrel=0
pkgdesc="X11 Video extension library"
url="http://xorg.freedesktop.org/"
arch="all"
......@@ -9,13 +9,8 @@ license="custom"
subpackages="$pkgname-dev $pkgname-doc"
depends=
depends_dev="xproto videoproto libx11-dev libxext-dev"
makedepends="$depends_dev libtool autoconf automake util-macros"
makedepends="$depends_dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXv-$pkgver.tar.bz2
0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch
"
_builddir="$srcdir"/libXv-$pkgver
......@@ -26,8 +21,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac
done
libtoolize --force && aclocal && autoheader && autoconf \
&& automake --add-missing
}
build() {
......@@ -42,21 +35,6 @@ package() {
rm "$pkgdir"/usr/lib/*.la || return 1
install -D -m644 COPYING "$pkgdir"/usr/share/licenses/$pkgname/COPYING
}
md5sums="5e1ac203ccd3ce3e89755ed1fbe75b0b libXv-1.0.7.tar.bz2
cbd5367f2b5717cab78b819aaaacd7d9 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
ff8da08c2883bdc98cbac78e448e81e6 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
108ba64a9d7d5f3763cfbb00ffe53eb2 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
53dbcb31cb08325b3a5329f16ddab3dd 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
0844dd0e117d36a70f603019af580f13 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch"
sha256sums="5d664aeb641f8c867331a0c6b4574a5e7e420f00bf5fcefd874e8d003ea59010 libXv-1.0.7.tar.bz2
993a72fc67e9de4df9b19eeedd32c70b325ed5d97fdc9e476a585d5fd151469e 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
583d3d8192bd11902e464213b462f24f632424c449eaa68c238910a2b1b223fb 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
7525a4f5df082913d614683219795e5ecaafd999fbe7696ab2e48857f1455b8c 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
51edf32e1da0ef2afa7f11ef9b96c29f7d886f1a88b5610118753a36afc140ce 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
4debde18842840d7872ba3b367ca9bb5c40b2565d0d7d2c984961b10a2971955 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch"
sha512sums="25c81cc6d112a6b07de1c53fa5fc8bb9d886d19cffc2bcd65c4668ba53808051cf4d4720413b5c436ba356bb76f9ca05decf61909839ee19ccf9cbc7263e373b libXv-1.0.7.tar.bz2
b4a8c457380ff3d1dd2b4da0b80f83cf577fe1345a3b8c49686e9ad88ce77f49ade7e4a7c5042bf0dff6e43af8a6adcb5706067ea87ecf5b84e74849b65cfbc9 0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch
fb07656fcd4779c246546ec8d2cc3dd16b013d77380ecf21cf2b2ee7f37910cf9a5f016c8b97a68e5499b5af88b5cdbbe19399c278136daa72ad3321f343d66a 0002-integer-overflow-in-XvQueryPortAttributes-CVE-2013-1.patch
2ecc22e831cad3ed4701c42665d25b6c2da358a3464d8a0a29e6f081a83cdd79ce50b67692ee93e6d114f518250a979920df93e7366a5063a36ee69bdc8fd2c8 0003-buffer-overflow-in-XvQueryPortAttributes-CVE-2013-20.patch
0b63e9966e854b51df7c9db1359f4c8c868f607b0effd0c6f6f5838c9451e57e0951ae32fbe5b2cac14765e6738ba50b688539c9f5c08bc05bb794ef572c27f6 0004-integer-overflow-in-XvListImageFormats-CVE-2013-1989.patch
628cc07629f6819a435bd29f9e6d79a9cc13ee7ed6abef3c9d322c32cd78a75e386a448191fa38f01fe4597ef66e9347f0e7ed8724bb7974520cb9a7ffd5a7ef 0005-integer-overflow-in-XvCreateImage-CVE-2013-1989-3-3.patch"
md5sums="224dadca53d9c88f8a2b8945babcea70 libXv-1.0.8.tar.bz2"
sha256sums="4f00eb5347390909cea4e53a69425839d2a6a44e0e0613321d59e7e4aeaf73d7 libXv-1.0.8.tar.bz2"
sha512sums="610866deaa7fdb3e10a2d5071fe79987e74320b18604e957e5a4d45e3716a3f9e31b44e42fd10c70cbf0ed8629f4d3e8699a1958e80779f8c1b991aece5cc864 libXv-1.0.8.tar.bz2"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment