diff options
author | Niclas Zeising <zeising@FreeBSD.org> | 2013-07-03 11:35:50 +0000 |
---|---|---|
committer | Niclas Zeising <zeising@FreeBSD.org> | 2013-07-03 11:35:50 +0000 |
commit | 9313932a468281e4c9e99307c86857b9c5c62eb9 (patch) | |
tree | 564c278812328342a7e0204b350b55715362383d /x11 | |
parent | 928f61a15df8c918ede0863d001decf6b56afc08 (diff) | |
download | ports-9313932a468281e4c9e99307c86857b9c5c62eb9.tar.gz ports-9313932a468281e4c9e99307c86857b9c5c62eb9.zip |
Notes
Diffstat (limited to 'x11')
-rw-r--r-- | x11/libXi/Makefile | 3 | ||||
-rw-r--r-- | x11/libXi/distinfo | 4 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XGMotion.c | 63 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XGetBMap.c | 61 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XGetDCtl.c | 113 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XGetDProp.c | 126 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XGetFCtl.c | 94 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XGetProp.c | 53 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XIPassiveGrab.c | 27 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XIProperties.c | 52 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XISelEv.c | 85 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XListDev.c | 83 | ||||
-rw-r--r-- | x11/libXi/files/patch-src_XQueryDv.c | 63 |
13 files changed, 3 insertions, 824 deletions
diff --git a/x11/libXi/Makefile b/x11/libXi/Makefile index 81b66525f9c9..25cb67b26931 100644 --- a/x11/libXi/Makefile +++ b/x11/libXi/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= libXi -PORTVERSION= 1.7.1 -PORTREVISION= 1 +PORTVERSION= 1.7.2 PORTEPOCH= 1 CATEGORIES= x11 diff --git a/x11/libXi/distinfo b/x11/libXi/distinfo index 10f6fc7d053b..a03dbae991b5 100644 --- a/x11/libXi/distinfo +++ b/x11/libXi/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXi-1.7.1.tar.bz2) = e92adb6b69c53c51e05c1e65db97e23751b935a693000fb0606c11b88c0066c5 -SIZE (xorg/lib/libXi-1.7.1.tar.bz2) = 434569 +SHA256 (xorg/lib/libXi-1.7.2.tar.bz2) = df24781dc63645e2b561cd0b20bd8a0e7aff02e426a8d2a7641159004d4cb20e +SIZE (xorg/lib/libXi-1.7.2.tar.bz2) = 440969 diff --git a/x11/libXi/files/patch-src_XGMotion.c b/x11/libXi/files/patch-src_XGMotion.c deleted file mode 100644 index 4902168a6023..000000000000 --- a/x11/libXi/files/patch-src_XGMotion.c +++ /dev/null @@ -1,63 +0,0 @@ -From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 06:55:23 +0000 -Subject: integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8] - -If the number of events or axes reported by the server is large enough -that it overflows when multiplied by the size of the appropriate struct, -then memory corruption can occur when more bytes are copied from the -X server reply than the size of the buffer we allocated to hold them. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XGMotion.c b/src/XGMotion.c -index 5feac85..a4c75b6 100644 ---- src/XGMotion.c -+++ src/XGMotion.c -@@ -59,6 +59,7 @@ SOFTWARE. - #include <X11/extensions/XInput.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - XDeviceTimeCoord * - XGetDeviceMotionEvents( -@@ -74,7 +75,7 @@ XGetDeviceMotionEvents( - xGetDeviceMotionEventsReply rep; - XDeviceTimeCoord *tc; - int *data, *bufp, *readp, *savp; -- long size, size2; -+ unsigned long size; - int i, j; - XExtDisplayInfo *info = XInput_find_display(dpy); - -@@ -104,10 +105,21 @@ XGetDeviceMotionEvents( - SyncHandle(); - return (NULL); - } -- size = rep.length << 2; -- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); -- savp = readp = (int *)Xmalloc(size); -- bufp = (int *)Xmalloc(size2); -+ if (rep.length < (INT_MAX >> 2)) { -+ size = rep.length << 2; -+ savp = readp = Xmalloc(size); -+ } else { -+ size = 0; -+ savp = readp = NULL; -+ } -+ /* rep.axes is a CARD8, so assume max number of axes for bounds check */ -+ if (rep.nEvents < -+ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) { -+ size_t bsize = rep.nEvents * -+ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int))); -+ bufp = Xmalloc(bsize); -+ } else -+ bufp = NULL; - if (!bufp || !savp) { - Xfree(bufp); - Xfree(savp); --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetBMap.c b/x11/libXi/files/patch-src_XGetBMap.c deleted file mode 100644 index d395088fb500..000000000000 --- a/x11/libXi/files/patch-src_XGetBMap.c +++ /dev/null @@ -1,61 +0,0 @@ -From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 06:26:52 +0000 -Subject: Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3] - -We copy the entire reply sent by the server into the fixed size -mapping[] array on the stack, even if the server says it's a larger -size than the mapping array can hold. HULK SMASH STACK! - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XGetBMap.c b/src/XGetBMap.c -index 211c9ca..002daba 100644 ---- src/XGetBMap.c -+++ src/XGetBMap.c -@@ -60,6 +60,7 @@ SOFTWARE. - #include <X11/extensions/XInput.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - #ifdef MIN /* some systems define this in <sys/param.h> */ - #undef MIN -@@ -75,7 +76,6 @@ XGetDeviceButtonMapping( - { - int status = 0; - unsigned char mapping[256]; /* known fixed size */ -- long nbytes; - XExtDisplayInfo *info = XInput_find_display(dpy); - - register xGetDeviceButtonMappingReq *req; -@@ -92,13 +92,18 @@ XGetDeviceButtonMapping( - - status = _XReply(dpy, (xReply *) & rep, 0, xFalse); - if (status == 1) { -- nbytes = (long)rep.length << 2; -- _XRead(dpy, (char *)mapping, nbytes); -- -- /* don't return more data than the user asked for. */ -- if (rep.nElts) -- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap)); -- status = rep.nElts; -+ if (rep.length <= (sizeof(mapping) >> 2)) { -+ unsigned long nbytes = rep.length << 2; -+ _XRead(dpy, (char *)mapping, nbytes); -+ -+ /* don't return more data than the user asked for. */ -+ if (rep.nElts) -+ memcpy(map, mapping, MIN((int)rep.nElts, nmap)); -+ status = rep.nElts; -+ } else { -+ _XEatDataWords(dpy, rep.length); -+ status = 0; -+ } - } else - status = 0; - UnlockDisplay(dpy); --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetDCtl.c b/x11/libXi/files/patch-src_XGetDCtl.c deleted file mode 100644 index d93276c74c64..000000000000 --- a/x11/libXi/files/patch-src_XGetDCtl.c +++ /dev/null @@ -1,113 +0,0 @@ -From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 06:55:23 +0000 -Subject: integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8] - -If the number of valuators reported by the server is large enough that -it overflows when multiplied by the size of the appropriate struct, then -memory corruption can occur when more bytes are copied from the X server -reply than the size of the buffer we allocated to hold them. - -v2: check that reply size fits inside the data read from the server, so -we don't read out of bounds either - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c -index f73a4e8..51ed0ae 100644 ---- src/XGetDCtl.c -+++ src/XGetDCtl.c -@@ -61,6 +61,7 @@ SOFTWARE. - #include <X11/extensions/XInput.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - XDeviceControl * - XGetDeviceControl( -@@ -68,8 +69,6 @@ XGetDeviceControl( - XDevice *dev, - int control) - { -- int size = 0; -- int nbytes, i; - XDeviceControl *Device = NULL; - XDeviceControl *Sav = NULL; - xDeviceState *d = NULL; -@@ -92,8 +91,12 @@ XGetDeviceControl( - goto out; - - if (rep.length > 0) { -- nbytes = (long)rep.length << 2; -- d = (xDeviceState *) Xmalloc((unsigned)nbytes); -+ unsigned long nbytes; -+ size_t size = 0; -+ if (rep.length < (INT_MAX >> 2)) { -+ nbytes = (unsigned long) rep.length << 2; -+ d = Xmalloc(nbytes); -+ } - if (!d) { - _XEatDataWords(dpy, rep.length); - goto out; -@@ -111,33 +114,46 @@ XGetDeviceControl( - case DEVICE_RESOLUTION: - { - xDeviceResolutionState *r; -+ size_t val_size; - - r = (xDeviceResolutionState *) d; -- size += sizeof(XDeviceResolutionState) + -- (3 * sizeof(int) * r->num_valuators); -+ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int)))) -+ goto out; -+ val_size = 3 * sizeof(int) * r->num_valuators; -+ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes) -+ goto out; -+ size += sizeof(XDeviceResolutionState) + val_size; - break; - } - case DEVICE_ABS_CALIB: - { -+ if (sizeof(xDeviceAbsCalibState) > nbytes) -+ goto out; - size += sizeof(XDeviceAbsCalibState); - break; - } - case DEVICE_ABS_AREA: - { -+ if (sizeof(xDeviceAbsAreaState) > nbytes) -+ goto out; - size += sizeof(XDeviceAbsAreaState); - break; - } - case DEVICE_CORE: - { -+ if (sizeof(xDeviceCoreState) > nbytes) -+ goto out; - size += sizeof(XDeviceCoreState); - break; - } - default: -+ if (d->length > nbytes) -+ goto out; - size += d->length; - break; - } - -- Device = (XDeviceControl *) Xmalloc((unsigned)size); -+ Device = Xmalloc(size); - if (!Device) - goto out; - -@@ -150,6 +166,7 @@ XGetDeviceControl( - int *iptr, *iptr2; - xDeviceResolutionState *r; - XDeviceResolutionState *R; -+ unsigned int i; - - r = (xDeviceResolutionState *) d; - R = (XDeviceResolutionState *) Device; --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetDProp.c b/x11/libXi/files/patch-src_XGetDProp.c deleted file mode 100644 index 7ad4e6d9a282..000000000000 --- a/x11/libXi/files/patch-src_XGetDProp.c +++ /dev/null @@ -1,126 +0,0 @@ -From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 20:30:55 +0000 -Subject: Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8] - -If the number of items as reported by the Xserver is too large, it -could overflow the calculation for the size of the buffer to copy the -reply into, causing memory corruption. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- ---- src/XGetDProp.c.orig 2010-09-07 05:21:05.000000000 +0000 -+++ src/XGetDProp.c 2013-05-29 16:46:04.000000000 +0000 -@@ -38,6 +38,7 @@ in this Software without prior written a - #include <X11/extensions/XInput.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - int - XGetDeviceProperty(Display* dpy, XDevice* dev, -@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice - { - xGetDevicePropertyReq *req; - xGetDevicePropertyReply rep; -- long nbytes, rbytes; -+ unsigned long nbytes, rbytes; -+ int ret = Success; - - XExtDisplayInfo *info = XInput_find_display(dpy); - -@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice - * data, but this last byte is null terminated and convenient for - * returning string properties, so the client doesn't then have to - * recopy the string to make it null terminated. -+ * -+ * Maximum item limits are set to both prevent integer overflow when -+ * calculating the amount of memory to malloc, and to limit how much -+ * memory will be used if a server provides an insanely high count. - */ - switch (rep.format) { - case 8: -- nbytes = rep.nItems; -- rbytes = rep.nItems + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -- _XReadPad (dpy, (char *) *prop, nbytes); -+ if (rep.nItems < INT_MAX) { -+ nbytes = rep.nItems; -+ rbytes = rep.nItems + 1; -+ if ((*prop = Xmalloc (rbytes))) -+ _XReadPad (dpy, (char *) *prop, nbytes); -+ else -+ ret = BadAlloc; -+ } - break; - - case 16: -- nbytes = rep.nItems << 1; -- rbytes = rep.nItems * sizeof (short) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -- _XRead16Pad (dpy, (short *) *prop, nbytes); -+ if (rep.nItems < (INT_MAX / sizeof (short))) { -+ nbytes = rep.nItems << 1; -+ rbytes = rep.nItems * sizeof (short) + 1; -+ if ((*prop = Xmalloc (rbytes))) -+ _XRead16Pad (dpy, (short *) *prop, nbytes); -+ else -+ ret = BadAlloc; -+ } - break; - - case 32: -- nbytes = rep.nItems << 2; -- rbytes = rep.nItems * sizeof (long) + 1; -- if (rbytes > 0 && -- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes))) -- _XRead32 (dpy, (long *) *prop, nbytes); -+ if (rep.nItems < (INT_MAX / sizeof (long))) { -+ nbytes = rep.nItems << 2; -+ rbytes = rep.nItems * sizeof (long) + 1; -+ if ((*prop = Xmalloc (rbytes))) -+ _XRead32 (dpy, (long *) *prop, nbytes); -+ else -+ ret = BadAlloc; -+ } - break; - - default: -@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice - * This part of the code should never be reached. If it is, - * the server sent back a property with an invalid format. - */ -- nbytes = rep.length << 2; -- _XEatData(dpy, (unsigned long) nbytes); -- UnlockDisplay(dpy); -- SyncHandle(); -- return(BadImplementation); -+ ret = BadImplementation; - } - if (! *prop) { -- _XEatData(dpy, (unsigned long) nbytes); -- UnlockDisplay(dpy); -- SyncHandle(); -- return(BadAlloc); -+ _XEatDataWords(dpy, rep.length); -+ if (ret == Success) -+ ret = BadAlloc; -+ goto out; - } - (*prop)[rbytes - 1] = '\0'; - } -@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice - *actual_format = rep.format; - *nitems = rep.nItems; - *bytes_after = rep.bytesAfter; -+ out: - UnlockDisplay (dpy); - SyncHandle (); - -- return Success; -+ return ret; - } - diff --git a/x11/libXi/files/patch-src_XGetFCtl.c b/x11/libXi/files/patch-src_XGetFCtl.c deleted file mode 100644 index 6c9949b61446..000000000000 --- a/x11/libXi/files/patch-src_XGetFCtl.c +++ /dev/null @@ -1,94 +0,0 @@ -From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 06:55:23 +0000 -Subject: integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8] - -If the number of feedbacks reported by the server is large enough that -it overflows when multiplied by the size of the appropriate struct, or -if the total size of all the feedback structures overflows when added -together, then memory corruption can occur when more bytes are copied from -the X server reply than the size of the buffer we allocated to hold them. - -v2: check that reply size fits inside the data read from the server, so - we don't read out of bounds either - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c -index 28fab4d..bb50bf3 100644 ---- src/XGetFCtl.c -+++ src/XGetFCtl.c -@@ -61,6 +61,7 @@ SOFTWARE. - #include <X11/extensions/XInput.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - XFeedbackState * - XGetFeedbackControl( -@@ -68,8 +69,6 @@ XGetFeedbackControl( - XDevice *dev, - int *num_feedbacks) - { -- int size = 0; -- int nbytes, i; - XFeedbackState *Feedback = NULL; - XFeedbackState *Sav = NULL; - xFeedbackState *f = NULL; -@@ -91,9 +90,16 @@ XGetFeedbackControl( - goto out; - - if (rep.length > 0) { -+ unsigned long nbytes; -+ size_t size = 0; -+ int i; -+ - *num_feedbacks = rep.num_feedbacks; -- nbytes = (long)rep.length << 2; -- f = (xFeedbackState *) Xmalloc((unsigned)nbytes); -+ -+ if (rep.length < (INT_MAX >> 2)) { -+ nbytes = rep.length << 2; -+ f = Xmalloc(nbytes); -+ } - if (!f) { - _XEatDataWords(dpy, rep.length); - goto out; -@@ -102,6 +108,10 @@ XGetFeedbackControl( - _XRead(dpy, (char *)f, nbytes); - - for (i = 0; i < *num_feedbacks; i++) { -+ if (f->length > nbytes) -+ goto out; -+ nbytes -= f->length; -+ - switch (f->class) { - case KbdFeedbackClass: - size += sizeof(XKbdFeedbackState); -@@ -116,6 +126,8 @@ XGetFeedbackControl( - { - xStringFeedbackState *strf = (xStringFeedbackState *) f; - -+ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym))) -+ goto out; - size += sizeof(XStringFeedbackState) + - (strf->num_syms_supported * sizeof(KeySym)); - } -@@ -130,10 +142,12 @@ XGetFeedbackControl( - size += f->length; - break; - } -+ if (size > INT_MAX) -+ goto out; - f = (xFeedbackState *) ((char *)f + f->length); - } - -- Feedback = (XFeedbackState *) Xmalloc((unsigned)size); -+ Feedback = Xmalloc(size); - if (!Feedback) - goto out; - --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XGetProp.c b/x11/libXi/files/patch-src_XGetProp.c deleted file mode 100644 index 8049cf6fd4bc..000000000000 --- a/x11/libXi/files/patch-src_XGetProp.c +++ /dev/null @@ -1,53 +0,0 @@ -From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 06:55:23 +0000 -Subject: integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8] - -If the number of event classes reported by the server is large enough -that it overflows when multiplied by the size of the appropriate struct, -then memory corruption can occur when more bytes are copied from the -X server reply than the size of the buffer we allocated to hold them. - -V2: EatData if count is 0 but length is > 0 to avoid XIOErrors - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -(limited to 'src/XGetProp.c') - ---- src/XGetProp.c.orig 2011-12-20 00:28:44.000000000 +0000 -+++ src/XGetProp.c 2013-05-29 16:49:01.000000000 +0000 -@@ -60,6 +60,7 @@ SOFTWARE. - #include <X11/extensions/XInput.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - XEventClass * - XGetDeviceDontPropagateList( -@@ -89,11 +90,11 @@ XGetDeviceDontPropagateList( - } - *count = rep.count; - -- if (*count) { -- rlen = rep.length << 2; -- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass)); -+ if (rep.length != 0) { -+ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass)))) -+ list = Xmalloc(rep.length * sizeof(XEventClass)); - if (list) { -- int i; -+ unsigned int i; - CARD32 ec; - - /* read and assign each XEventClass separately because -@@ -105,7 +106,7 @@ XGetDeviceDontPropagateList( - list[i] = (XEventClass) ec; - } - } else -- _XEatData(dpy, (unsigned long)rlen); -+ _XEatDataWords(dpy, rep.length); - } - - UnlockDisplay(dpy); diff --git a/x11/libXi/files/patch-src_XIPassiveGrab.c b/x11/libXi/files/patch-src_XIPassiveGrab.c deleted file mode 100644 index b41d9f4b15a3..000000000000 --- a/x11/libXi/files/patch-src_XIPassiveGrab.c +++ /dev/null @@ -1,27 +0,0 @@ -From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 07:37:23 +0000 -Subject: memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3] - -If the server returned more modifiers than the caller asked for, -we'd just keep copying past the end of the array provided by the -caller, writing over who-knows-what happened to be there. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c -index ac17c01..53b4084 100644 ---- src/XIPassiveGrab.c -+++ src/XIPassiveGrab.c -@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail, - return -1; - _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo)); - -- for (i = 0; i < reply.num_modifiers; i++) -+ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++) - { - modifiers_inout[i].status = failed_mods[i].status; - modifiers_inout[i].modifiers = failed_mods[i].modifiers; --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XIProperties.c b/x11/libXi/files/patch-src_XIProperties.c deleted file mode 100644 index 4d62f1962984..000000000000 --- a/x11/libXi/files/patch-src_XIProperties.c +++ /dev/null @@ -1,52 +0,0 @@ -From 242f92b490a695fbab244af5bad11b71f897c732 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 06:55:23 +0000 -Subject: integer overflow in XIGetProperty() [CVE-2013-1984 5/8] - -If the number of items reported by the server is large enough that -it overflows when multiplied by the size of the appropriate item type, -then memory corruption can occur when more bytes are copied from the -X server reply than the size of the buffer we allocated to hold them. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XIProperties.c b/src/XIProperties.c -index 5e58fb6..32436d1 100644 ---- src/XIProperties.c -+++ src/XIProperties.c -@@ -38,6 +38,7 @@ - #include <X11/extensions/XInput2.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - Atom* - XIListProperties(Display* dpy, int deviceid, int *num_props_return) -@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, - { - xXIGetPropertyReq *req; - xXIGetPropertyReply rep; -- long nbytes, rbytes; -+ unsigned long nbytes, rbytes; - - XExtDisplayInfo *info = XInput_find_display(dpy); - -@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset, - * recopy the string to make it null terminated. - */ - -- nbytes = rep.num_items * rep.format/8; -- rbytes = nbytes + 1; -- *data = Xmalloc(rbytes); -+ if (rep.num_items < (INT_MAX / (rep.format/8))) { -+ nbytes = rep.num_items * rep.format/8; -+ rbytes = nbytes + 1; -+ *data = Xmalloc(rbytes); -+ } - - if (!(*data)) { - _XEatDataWords(dpy, rep.length); --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XISelEv.c b/x11/libXi/files/patch-src_XISelEv.c deleted file mode 100644 index c86656f2cfb7..000000000000 --- a/x11/libXi/files/patch-src_XISelEv.c +++ /dev/null @@ -1,85 +0,0 @@ -From 528419b9ef437e7eeafb41bf45e8ff7d818bd845 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 06:55:23 +0000 -Subject: integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8] - -If the number of events or masks reported by the server is large enough -that it overflows when multiplied by the size of the appropriate struct, -or the sizes overflow as they are totaled up, then memory corruption can -occur when more bytes are copied from the X server reply than the size -of the buffer we allocated to hold them. - -v2: check that reply size fits inside the data read from the server, - so that we don't read out of bounds either - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XISelEv.c b/src/XISelEv.c -index f871222..0471bef 100644 ---- src/XISelEv.c -+++ src/XISelEv.c -@@ -42,6 +42,7 @@ in this Software without prior written authorization from the author. - #include <X11/extensions/ge.h> - #include <X11/extensions/geproto.h> - #include "XIint.h" -+#include <limits.h> - - int - XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks) -@@ -101,13 +102,14 @@ out: - XIEventMask* - XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) - { -- int i, len = 0; -+ unsigned int i, len = 0; - unsigned char *mask; - XIEventMask *mask_out = NULL; - xXIEventMask *mask_in = NULL, *mi; - xXIGetSelectedEventsReq *req; - xXIGetSelectedEventsReply reply; - XExtDisplayInfo *info = XInput_find_display(dpy); -+ size_t rbytes; - - *num_masks_return = -1; - LockDisplay(dpy); -@@ -129,11 +131,16 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) - goto out; - } - -- mask_in = Xmalloc(reply.length * 4); -- if (!mask_in) -+ if (reply.length < (INT_MAX >> 2)) { -+ rbytes = (unsigned long) reply.length << 2; -+ mask_in = Xmalloc(rbytes); -+ } -+ if (!mask_in) { -+ _XEatDataWords(dpy, reply.length); - goto out; -+ } - -- _XRead(dpy, (char*)mask_in, reply.length * 4); -+ _XRead(dpy, (char*)mask_in, rbytes); - - /* - * This function takes interleaved xXIEventMask structs & masks off -@@ -148,8 +155,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return) - - for (i = 0, mi = mask_in; i < reply.num_masks; i++) - { -- len += mi->mask_len * 4; -- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4); -+ unsigned int mask_bytes = mi->mask_len * 4; -+ len += mask_bytes; -+ if (len > INT_MAX) -+ goto out; -+ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes) -+ goto out; -+ rbytes -= (sizeof(xXIEventMask) + mask_bytes); -+ mi = (xXIEventMask*)((char*)mi + mask_bytes); - mi++; - } - --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XListDev.c b/x11/libXi/files/patch-src_XListDev.c deleted file mode 100644 index 8231e6b59089..000000000000 --- a/x11/libXi/files/patch-src_XListDev.c +++ /dev/null @@ -1,83 +0,0 @@ -From 81b4df8ac6aa1520c41c3526961014a6f115cc46 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sun, 10 Mar 2013 08:16:22 +0000 -Subject: sign extension issue in XListInputDevices() [CVE-2013-1995] - -nptr is (signed) char, which can be negative, and will sign extend -when added to the int size, which means size can be subtracted from, -leading to allocating too small a buffer to hold the data being copied -from the X server's reply. - -v2: check that string size fits inside the data read from the server, - so that we don't read out of bounds either - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XListDev.c b/src/XListDev.c -index 1c14b96..b85ff3c 100644 ---- src/XListDev.c -+++ src/XListDev.c -@@ -73,7 +73,7 @@ static int pad_to_xid(int base_size) - return ((base_size + padsize - 1)/padsize) * padsize; - } - --static int -+static size_t - SizeClassInfo(xAnyClassPtr *any, int num_classes) - { - int size = 0; -@@ -170,7 +170,7 @@ XListInputDevices( - register Display *dpy, - int *ndevices) - { -- int size; -+ size_t size; - xListInputDevicesReq *req; - xListInputDevicesReply rep; - xDeviceInfo *list, *slist = NULL; -@@ -178,7 +178,7 @@ XListInputDevices( - XDeviceInfo *clist = NULL; - xAnyClassPtr any, sav_any; - XAnyClassPtr Any; -- char *nptr, *Nptr; -+ unsigned char *nptr, *Nptr; - int i; - unsigned long rlen; - XExtDisplayInfo *info = XInput_find_display(dpy); -@@ -217,9 +217,12 @@ XListInputDevices( - size += SizeClassInfo(&any, (int)list->num_classes); - } - -- for (i = 0, nptr = (char *)any; i < *ndevices; i++) { -+ Nptr = ((unsigned char *)list) + rlen + 1; -+ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) { - size += *nptr + 1; - nptr += (*nptr + 1); -+ if (nptr > Nptr) -+ goto out; - } - - clist = (XDeviceInfoPtr) Xmalloc(size); -@@ -245,8 +248,8 @@ XListInputDevices( - } - - clist = sclist; -- nptr = (char *)any; -- Nptr = (char *)Any; -+ nptr = (unsigned char *)any; -+ Nptr = (unsigned char *)Any; - for (i = 0; i < *ndevices; i++, clist++) { - clist->name = (char *)Nptr; - memcpy(Nptr, nptr + 1, *nptr); -@@ -256,6 +259,7 @@ XListInputDevices( - } - } - -+ out: - XFree((char *)slist); - UnlockDisplay(dpy); - SyncHandle(); --- -cgit v0.9.0.2-2-gbebe diff --git a/x11/libXi/files/patch-src_XQueryDv.c b/x11/libXi/files/patch-src_XQueryDv.c deleted file mode 100644 index 23e60c2c278c..000000000000 --- a/x11/libXi/files/patch-src_XQueryDv.c +++ /dev/null @@ -1,63 +0,0 @@ -From 5398ac0797f7516f2c9b8f2869a6c6d071437352 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Sat, 27 Apr 2013 05:48:36 +0000 -Subject: unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3] - -If the lengths given for each class state in the reply add up to more -than the rep.length, we could read past the end of the buffer allocated -to hold the data read from the server. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> ---- -diff --git a/src/XQueryDv.c b/src/XQueryDv.c -index 69c285b..3836777 100644 ---- src/XQueryDv.c -+++ src/XQueryDv.c -@@ -59,6 +59,7 @@ SOFTWARE. - #include <X11/extensions/XInput.h> - #include <X11/extensions/extutil.h> - #include "XIint.h" -+#include <limits.h> - - XDeviceState * - XQueryDeviceState( -@@ -66,8 +67,8 @@ XQueryDeviceState( - XDevice *dev) - { - int i, j; -- int rlen; -- int size = 0; -+ unsigned long rlen; -+ size_t size = 0; - xQueryDeviceStateReq *req; - xQueryDeviceStateReply rep; - XDeviceState *state = NULL; -@@ -87,9 +88,11 @@ XQueryDeviceState( - if (!_XReply(dpy, (xReply *) & rep, 0, xFalse)) - goto out; - -- rlen = rep.length << 2; -- if (rlen > 0) { -- data = Xmalloc(rlen); -+ if (rep.length > 0) { -+ if (rep.length < (INT_MAX >> 2)) { -+ rlen = (unsigned long) rep.length << 2; -+ data = Xmalloc(rlen); -+ } - if (!data) { - _XEatDataWords(dpy, rep.length); - goto out; -@@ -97,6 +100,10 @@ XQueryDeviceState( - _XRead(dpy, data, rlen); - - for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) { -+ if (any->length > rlen) -+ goto out; -+ rlen -= any->length; -+ - switch (any->class) { - case KeyClass: - size += sizeof(XKeyState); --- -cgit v0.9.0.2-2-gbebe |