Commit e04a6fa5 authored by Natanael Copa's avatar Natanael Copa

main/libxfixes: upgrade to 5.0.1

parent 4e33a14b
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libxfixes
pkgver=5.0
pkgrel=2
pkgver=5.0.1
pkgrel=0
pkgdesc="X11 miscellaneous 'fixes' extension library"
url="http://xorg.freedesktop.org/"
arch="all"
......@@ -10,8 +10,7 @@ depends=
depends_dev="xproto fixesproto libx11-dev"
makedepends="$depends_dev xextproto"
subpackages="$pkgname-dev $pkgname-doc"
source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2
CVE-2013-1983.patch"
source="http://xorg.freedesktop.org/releases/individual/lib/libXfixes-$pkgver.tar.bz2"
_builddir="$srcdir"/libXfixes-$pkgver
prepare() {
......@@ -34,9 +33,6 @@ package() {
make DESTDIR="$pkgdir" install || return 1
rm "$pkgdir"/usr/lib/*.la || return 1
}
md5sums="678071bd7f9f7467e2fc712d81022318 libXfixes-5.0.tar.bz2
cfd62d3f71592118ca0a6862cfe221b3 CVE-2013-1983.patch"
sha256sums="537a2446129242737a35db40081be4bbcc126e56c03bf5f2b142b10a79cda2e3 libXfixes-5.0.tar.bz2
b1e261feb83e064ac1123cb3004f0ed9284b23abef34f4f5bb6a5d452aff1192 CVE-2013-1983.patch"
sha512sums="fd3071b52c657975b4321e6c7ebe433c43ea6944d04d2228da075aad394e962eec705e41a6c3a6bbc12f704765189116d1328c3111e457f23395ff6f57ae63d5 libXfixes-5.0.tar.bz2
6c1e9d1261ece81d97af947a1543f313aebfeb8cc18c121bc51e8cc1142e49c4c5c21fb304d2d37af318c530551e02c029bfbce928d9caefb9432b1c5a4da66c CVE-2013-1983.patch"
md5sums="b985b85f8b9386c85ddcfe1073906b4d libXfixes-5.0.1.tar.bz2"
sha256sums="63bec085084fa3caaee5180490dd871f1eb2020ba9e9b39a30f93693ffc34767 libXfixes-5.0.1.tar.bz2"
sha512sums="b47c841db169d1b329eec9deb555799cd087a466326840f1f5349303ba79cff5850b1bb69c1ff38b3f522f24d61db58a0c01021e1ffea2896527167262fc7150 libXfixes-5.0.1.tar.bz2"
From c480fe3271873ec7471b0cbd680f4dac18ca8904 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 17:24:08 +0000
Subject: integer overflow in XFixesGetCursorImage() [CVE-2013-1983]
If the reported cursor dimensions or name length are too large, the
calculations to allocate memory for them may overflow, leaving us
writing beyond the bounds of the allocation.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
diff --git a/src/Cursor.c b/src/Cursor.c
index 641b747..33590b7 100644
--- a/src/Cursor.c
+++ b/src/Cursor.c
@@ -47,6 +47,7 @@
#include <config.h>
#endif
#include "Xfixesint.h"
+#include <limits.h>
void
XFixesSelectCursorInput (Display *dpy,
@@ -74,9 +75,9 @@ XFixesGetCursorImage (Display *dpy)
XFixesExtDisplayInfo *info = XFixesFindDisplay (dpy);
xXFixesGetCursorImageAndNameReq *req;
xXFixesGetCursorImageAndNameReply rep;
- int npixels;
- int nbytes_name;
- int nbytes, nread, rlength;
+ size_t npixels;
+ size_t nbytes_name;
+ size_t nbytes, nread, rlength;
XFixesCursorImage *image;
char *name;
@@ -101,16 +102,21 @@ XFixesGetCursorImage (Display *dpy)
}
npixels = rep.width * rep.height;
nbytes_name = rep.nbytes;
- /* reply data length */
- nbytes = (long) rep.length << 2;
- /* bytes of actual data in the reply */
- nread = (npixels << 2) + nbytes_name;
- /* size of data returned to application */
- rlength = (sizeof (XFixesCursorImage) +
- npixels * sizeof (unsigned long) +
- nbytes_name + 1);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ npixels < (((INT_MAX >> 3) - sizeof (XFixesCursorImage) - 1)
+ - nbytes_name)) {
+ /* reply data length */
+ nbytes = (size_t) rep.length << 2;
+ /* bytes of actual data in the reply */
+ nread = (npixels << 2) + nbytes_name;
+ /* size of data returned to application */
+ rlength = (sizeof (XFixesCursorImage) +
+ npixels * sizeof (unsigned long) +
+ nbytes_name + 1);
- image = (XFixesCursorImage *) Xmalloc (rlength);
+ image = Xmalloc (rlength);
+ } else
+ image = NULL;
if (!image)
{
_XEatDataWords(dpy, rep.length);
--
cgit v0.9.0.2-2-gbebe
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment