Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:linux4humans:qt_5.9
xorg-x11-libs
U_0001-memory-corruption-in-XF86VidModeGetGamma...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_0001-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch of Package xorg-x11-libs
From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Sat, 13 Apr 2013 14:33:32 -0700 Subject: [PATCH] memory corruption in XF86VidModeGetGammaRamp() [CVE-2013-2001] We trusted the server not to return more data than the client said it had allocated room for, and would overflow the provided buffers if it did. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- src/XF86VMode.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) Index: libXxf86vm-1.0.2/src/XF86VMode.c =================================================================== --- libXxf86vm-1.0.2.orig/src/XF86VMode.c +++ libXxf86vm-1.0.2/src/XF86VMode.c @@ -1139,6 +1140,7 @@ XF86VidModeGetGammaRamp ( XExtDisplayInfo *info = find_display (dpy); xXF86VidModeGetGammaRampReq *req; xXF86VidModeGetGammaRampReply rep; + Bool result = True; XF86VidModeCheckExtension (dpy, info, False); @@ -1149,19 +1151,23 @@ XF86VidModeGetGammaRamp ( req->screen = screen; req->size = size; if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) { - UnlockDisplay (dpy); - SyncHandle (); - return False; + result = False; } - if(rep.size) { - _XRead(dpy, (char*)red, rep.size << 1); - _XRead(dpy, (char*)green, rep.size << 1); - _XRead(dpy, (char*)blue, rep.size << 1); + else if (rep.size) { + if (rep.size <= size) { + _XRead(dpy, (char*)red, rep.size << 1); + _XRead(dpy, (char*)green, rep.size << 1); + _XRead(dpy, (char*)blue, rep.size << 1); + } + else { + _XEatDataWords(dpy, rep.length); + result = False; + } } UnlockDisplay(dpy); SyncHandle(); - return True; + return result; } Bool XF86VidModeGetGammaRampSize( Index: libXxf86vm-1.0.2/src/eat.h =================================================================== --- /dev/null +++ libXxf86vm-1.0.2/src/eat.h @@ -0,0 +1,40 @@ +/* + * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice (including the next + * paragraph) shall be included in all copies or substantial portions of the + * Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL + * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + */ + +#ifdef HAVE_CONFIG_H +# include "config.h" +#endif + +#ifndef HAVE__XEATDATAWORDS +#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */ +#include <limits.h> + +static inline void _XEatDataWords(Display *dpy, unsigned long n) +{ +# ifndef LONG64 + if (n >= (ULONG_MAX >> 2)) + _XIOError(dpy); +# endif + _XEatData (dpy, n << 2); +} +#endif
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor