Commit ba5259e8 authored by Natanael Copa's avatar Natanael Copa

main/libxxf86dga: upgrade to 1.1.4

parent a2e6a170
From 6fa471be7a005bde97bcb5ca5a17662ea8d32587 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:05:25 -0700
Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length
shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
configure.ac | 6 ++++++
src/XF86DGA2.c | 17 ++++++++++++++++-
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index 0558326..955fa3c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2])
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$XXF86DGA_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
man/Makefile
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 964de18..c17c7f1 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -6,6 +6,9 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
*/
/* THIS IS NOT AN X CONSORTIUM STANDARD */
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
#ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
#define INCL_DOS
@@ -22,6 +25,18 @@ Copyright (c) 1995,1996 The XFree86 Project, Inc
#include <stdio.h>
#include <stdint.h>
+#include <limits.h>
+
+#ifndef HAVE__XEATDATAWORDS
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
/* If you change this, change the Bases[] array below as well */
#define MAX_HEADS 16
@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes(
}
*num = rep.number;
} else
- _XEatData(dpy, rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
}
}
--
1.8.2.3
From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:18:57 -0700
Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
number is a CARD32 and needs to be bounds checked before multiplying by
sizeof(XDGAmode) to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XF86DGA2.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index c17c7f1..8830266 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int i, size;
+ unsigned long size = 0;
char *offset;
- size = rep.length << 2;
- size -= rep.number * sz_xXDGAModeInfo; /* find text size */
- modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
- offset = (char*)(&modes[rep.number]); /* start of text */
-
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
+ size = rep.length << 2;
+ if (size > (rep.number * sz_xXDGAModeInfo)) {
+ size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+ modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+ offset = (char*)(&modes[rep.number]); /* start of text */
+ }
+ }
- if(modes) {
+ if (modes != NULL) {
+ unsigned int i;
for(i = 0; i < rep.number; i++) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
--
1.8.2.3
From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:27:10 -0700
Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
When reading the name strings for the modes off the network, we never
checked to make sure the length of the individual name strings didn't
overflow the size of the buffer we'd allocated based on the reported
rep.length for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XF86DGA2.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 8830266..b5145ee 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
modes[i].reserved1 = info.reserved1;
modes[i].reserved2 = info.reserved2;
- _XRead(dpy, offset, info.name_size);
- modes[i].name = offset;
- offset += info.name_size;
+ if (info.name_size > 0 && info.name_size <= size) {
+ _XRead(dpy, offset, info.name_size);
+ modes[i].name = offset;
+ modes[i].name[info.name_size - 1] = '\0';
+ offset += info.name_size;
+ size -= info.name_size;
+ } else {
+ _XEatData(dpy, info.name_size);
+ modes[i].name = NULL;
+ }
}
*num = rep.number;
} else
--
1.8.2.3
From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:38:25 -0700
Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode()
[CVE-2013-1991 2/2]
rep.length is a CARD32 and needs to be bounds checked before bit shifting
and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
to avoid integer overflow or underflow leading to underallocation and
writing data from the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XF86DGA2.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index b5145ee..90ca918 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -405,12 +405,15 @@ XDGASetMode(
if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
if(rep.length) {
xXDGAModeInfo info;
- int size;
+ unsigned long size;
- size = rep.length << 2;
- size -= sz_xXDGAModeInfo; /* get text size */
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.length > (sz_xXDGAModeInfo >> 2))) {
+ size = rep.length << 2;
+ size -= sz_xXDGAModeInfo; /* get text size */
- dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
+ dev = Xmalloc(sizeof(XDGADevice) + size);
+ }
if(dev) {
_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
@@ -451,6 +454,8 @@ XDGASetMode(
dev->data += rep.offset;
}
/* not sure what to do if the allocation fails */
+ else
+ _XEatDataWords(dpy, rep.length);
}
}
--
1.8.2.3
From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:45:41 -0700
Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
When reading the name strings for the mode off the network, we never
checked to make sure the length of the name strings didn't overflow
the size of the buffer we'd allocated based on the reported rep.length
for the total reply size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XF86DGA2.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
dev->mode.reserved1 = info.reserved1;
dev->mode.reserved2 = info.reserved2;
- dev->mode.name = (char*)(&dev[1]);
- _XRead(dpy, dev->mode.name, info.name_size);
+ if (info.name_size > 0 && info.name_size <= size) {
+ dev->mode.name = (char*)(&dev[1]);
+ _XRead(dpy, dev->mode.name, info.name_size);
+ dev->mode.name[info.name_size - 1] = '\0';
+ } else {
+ dev->mode.name = NULL;
+ _XEatDataWords(dpy, rep.length);
+ }
dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
dev->data = XDGAGetMappedMemory(screen);
--
1.8.2.3
From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 12:53:49 -0700
Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer()
rep.length is a CARD32 and should be bounds checked before left shifting
to come up with the size to allocate and read from the network, though
since both functions take the same size, there should be no way for the
buffer to be overflowed in this case.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
src/XF86DGA2.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 4d13677..9c656e6 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
return False;
}
- if(rep.length) {
- deviceName = Xmalloc(rep.length << 2);
- _XRead(dpy, deviceName, rep.length << 2);
+ if (rep.length) {
+ if (rep.length < (INT_MAX >> 2)) {
+ unsigned long size = rep.length << 2;
+ deviceName = Xmalloc(size);
+ _XRead(dpy, deviceName, size);
+ deviceName[size - 1] = '\0';
+ } else
+ _XEatDataWords(dpy, rep.length);
}
ret = XDGAMapFramebuffer(screen, deviceName,
--
1.8.2.3
# Maintainer: Natanael Copa <ncopa@alpinelinux.org> # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxxf86dga pkgname=libxxf86dga
pkgver=1.1.3 pkgver=1.1.4
pkgrel=1 pkgrel=0
pkgdesc="X11 Direct Graphics Access extension library" pkgdesc="X11 Direct Graphics Access extension library"
url="http://xorg.freedesktop.org/" url="http://xorg.freedesktop.org/"
arch="all" arch="all"
...@@ -9,7 +9,7 @@ license="custom" ...@@ -9,7 +9,7 @@ license="custom"
subpackages="$pkgname-dev $pkgname-doc" subpackages="$pkgname-dev $pkgname-doc"
depends= depends=
depends_dev="xf86dgaproto libxext-dev libx11-dev" depends_dev="xf86dgaproto libxext-dev libx11-dev"
makedepends="$depends_dev libtool autoconf automake util-macros" makedepends="$depends_dev"
source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86dga-$pkgver.tar.bz2" source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86dga-$pkgver.tar.bz2"
_builddir="$srcdir"/libXxf86dga-$pkgver _builddir="$srcdir"/libXxf86dga-$pkgver
...@@ -20,8 +20,6 @@ prepare() { ...@@ -20,8 +20,6 @@ prepare() {
*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;; *.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
esac esac
done done
libtoolize --force && aclocal && autoheader && autoconf \
&& automake --add-missing
} }
build() { build() {
...@@ -35,6 +33,6 @@ package() { ...@@ -35,6 +33,6 @@ package() {
make DESTDIR="$pkgdir" install || return 1 make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la rm "$pkgdir"/usr/lib/*.la
} }
md5sums="b7f38465c46e7145782d37dbb9da8c09 libXxf86dga-1.1.3.tar.bz2" md5sums="d7dd9b9df336b7dd4028b6b56542ff2c libXxf86dga-1.1.4.tar.bz2"
sha256sums="551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994 libXxf86dga-1.1.3.tar.bz2" sha256sums="8eecd4b6c1df9a3704c04733c2f4fa93ef469b55028af5510b25818e2456c77e libXxf86dga-1.1.4.tar.bz2"
sha512sums="84129573f7491dff92c7072312bbadac7e7b9698b937e65c7bbf94d9b2e17a5448743e557c92c196738ddaa6d70917300f73c943e0c2507402df7bc31d5dd6d0 libXxf86dga-1.1.3.tar.bz2" sha512sums="58d81a7850275fc8382018bcc56dbc65b4200828b1f1379dcee3da1878f12a83ee681a9d474bcd564d99bf93bedfeb7b243370e0ebb89177652b37cee158a3f2 libXxf86dga-1.1.4.tar.bz2"
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment