File U_0001-memory-corruption-in-XF86VidModeGetGamma... of Package xorg-x11-libs

Overview Repositories Revisions Requests Users Attributes Meta

File U_0001-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch of Package xorg-x11-libs

From 47bb28ac0e6e49d3b6eb90c7c215f2fcf54f1a95 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 14:33:32 -0700
Subject: [PATCH] memory corruption in XF86VidModeGetGammaRamp()
 [CVE-2013-2001]

We trusted the server not to return more data than the client said it had
allocated room for, and would overflow the provided buffers if it did.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/XF86VMode.c | 21 +++++++++++++--------
 1 file changed, 13 insertions(+), 8 deletions(-)

Index: libXxf86vm-1.0.2/src/XF86VMode.c
===================================================================
--- libXxf86vm-1.0.2.orig/src/XF86VMode.c
+++ libXxf86vm-1.0.2/src/XF86VMode.c
@@ -1139,6 +1140,7 @@ XF86VidModeGetGammaRamp (
     XExtDisplayInfo *info = find_display (dpy);
     xXF86VidModeGetGammaRampReq *req;
     xXF86VidModeGetGammaRampReply rep;
+    Bool result = True;
   
     XF86VidModeCheckExtension (dpy, info, False);
 
@@ -1149,19 +1151,23 @@ XF86VidModeGetGammaRamp (
     req->screen = screen;
     req->size = size;
     if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) {
-        UnlockDisplay (dpy);
-        SyncHandle ();
-        return False;
+        result = False;
     }
-    if(rep.size) {
-	_XRead(dpy, (char*)red, rep.size << 1);
-	_XRead(dpy, (char*)green, rep.size << 1);
-	_XRead(dpy, (char*)blue, rep.size << 1);
+    else if (rep.size) {
+	if (rep.size <= size) {
+	    _XRead(dpy, (char*)red, rep.size << 1);
+	    _XRead(dpy, (char*)green, rep.size << 1);
+	    _XRead(dpy, (char*)blue, rep.size << 1);
+	}
+	else {
+	    _XEatDataWords(dpy, rep.length);
+	    result = False;
+	}
     }
 
     UnlockDisplay(dpy);
     SyncHandle();
-    return True;
+    return result;
 }
 
 Bool XF86VidModeGetGammaRampSize(
Index: libXxf86vm-1.0.2/src/eat.h
===================================================================
--- /dev/null
+++ libXxf86vm-1.0.2/src/eat.h
@@ -0,0 +1,40 @@
+/*
+ * Copyright (c) 2013, Oracle and/or its affiliates. All rights reserved.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice (including the next
+ * paragraph) shall be included in all copies or substantial portions of the
+ * Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.  IN NO EVENT SHALL
+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ */
+
+#ifdef HAVE_CONFIG_H
+# include "config.h"
+#endif
+
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h>  /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+    if (n >= (ULONG_MAX >> 2))
+        _XIOError(dpy);
+# endif
+    _XEatData (dpy, n << 2);
+}
+#endif

Places

File U_0001-memory-corruption-in-XF86VidModeGetGammaRamp-CVE-201.patch of Package xorg-x11-libs

Places