mirror/freebsd-ports
1
0
Fork 0
mirror of https://git.FreeBSD.org/ports.git synced 2025-01-30 10:38:37 +00:00
Code Issues Releases Activity

Update to 1.7.2

Browse Source 
This release incorporates all security patches.

Obtained from:	xorg development repo
This commit is contained in:
Niclas Zeising 2013-07-03 11:35:50 +00:00
parent 928f61a15d
commit 9313932a46
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=322220
13 changed files with 3 additions and 824 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
x11/libXi/Makefile
View File

@ -2,8 +2,7 @@
# $FreeBSD$
PORTNAME= libXi
PORTVERSION= 1.7.1
PORTREVISION= 1
PORTVERSION= 1.7.2
PORTEPOCH= 1
CATEGORIES= x11

4
x11/libXi/distinfo
View File

@ -1,2 +1,2 @@
SHA256 (xorg/lib/libXi-1.7.1.tar.bz2) = e92adb6b69c53c51e05c1e65db97e23751b935a693000fb0606c11b88c0066c5
SIZE (xorg/lib/libXi-1.7.1.tar.bz2) = 434569
SHA256 (xorg/lib/libXi-1.7.2.tar.bz2) = df24781dc63645e2b561cd0b20bd8a0e7aff02e426a8d2a7641159004d4cb20e
SIZE (xorg/lib/libXi-1.7.2.tar.bz2) = 440969

63
x11/libXi/files/patch-src_XGMotion.c
View File

@ -1,63 +0,0 @@
From bb922ed4253b35590f0369f32a917ff89ade0830 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetDeviceMotionEvents() [CVE-2013-1984 4/8]
If the number of events or axes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGMotion.c b/src/XGMotion.c
index 5feac85..a4c75b6 100644
--- src/XGMotion.c
+++ src/XGMotion.c
@@ -59,6 +59,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceTimeCoord *
XGetDeviceMotionEvents(
@@ -74,7 +75,7 @@ XGetDeviceMotionEvents(
xGetDeviceMotionEventsReply rep;
XDeviceTimeCoord *tc;
int *data, *bufp, *readp, *savp;
- long size, size2;
+ unsigned long size;
int i, j;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -104,10 +105,21 @@ XGetDeviceMotionEvents(
SyncHandle();
return (NULL);
}
- size = rep.length << 2;
- size2 = rep.nEvents * (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
- savp = readp = (int *)Xmalloc(size);
- bufp = (int *)Xmalloc(size2);
+ if (rep.length < (INT_MAX >> 2)) {
+ size = rep.length << 2;
+ savp = readp = Xmalloc(size);
+ } else {
+ size = 0;
+ savp = readp = NULL;
+ }
+ /* rep.axes is a CARD8, so assume max number of axes for bounds check */
+ if (rep.nEvents <
+ (INT_MAX / (sizeof(XDeviceTimeCoord) + (UCHAR_MAX * sizeof(int))))) {
+ size_t bsize = rep.nEvents *
+ (sizeof(XDeviceTimeCoord) + (rep.axes * sizeof(int)));
+ bufp = Xmalloc(bsize);
+ } else
+ bufp = NULL;
if (!bufp || !savp) {
Xfree(bufp);
Xfree(savp);
--
cgit v0.9.0.2-2-gbebe

61
x11/libXi/files/patch-src_XGetBMap.c
View File

@ -1,61 +0,0 @@
From f3e08e4fbe40016484ba795feecf1a742170ffc1 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:26:52 +0000
Subject: Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3]
We copy the entire reply sent by the server into the fixed size
mapping[] array on the stack, even if the server says it's a larger
size than the mapping array can hold. HULK SMASH STACK!
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGetBMap.c b/src/XGetBMap.c
index 211c9ca..002daba 100644
--- src/XGetBMap.c
+++ src/XGetBMap.c
@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
#ifdef MIN /* some systems define this in <sys/param.h> */
#undef MIN
@@ -75,7 +76,6 @@ XGetDeviceButtonMapping(
{
int status = 0;
unsigned char mapping[256]; /* known fixed size */
- long nbytes;
XExtDisplayInfo *info = XInput_find_display(dpy);
register xGetDeviceButtonMappingReq *req;
@@ -92,13 +92,18 @@ XGetDeviceButtonMapping(
status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
if (status == 1) {
- nbytes = (long)rep.length << 2;
- _XRead(dpy, (char *)mapping, nbytes);
-
- /* don't return more data than the user asked for. */
- if (rep.nElts)
- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
- status = rep.nElts;
+ if (rep.length <= (sizeof(mapping) >> 2)) {
+ unsigned long nbytes = rep.length << 2;
+ _XRead(dpy, (char *)mapping, nbytes);
+
+ /* don't return more data than the user asked for. */
+ if (rep.nElts)
+ memcpy(map, mapping, MIN((int)rep.nElts, nmap));
+ status = rep.nElts;
+ } else {
+ _XEatDataWords(dpy, rep.length);
+ status = 0;
+ }
} else
status = 0;
UnlockDisplay(dpy);
--
cgit v0.9.0.2-2-gbebe

113
x11/libXi/files/patch-src_XGetDCtl.c
View File

@ -1,113 +0,0 @@
From b0b13c12a8079a5a0e7f43b2b8983699057b2cec Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetDeviceControl() [CVE-2013-1984 1/8]
If the number of valuators reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, then
memory corruption can occur when more bytes are copied from the X server
reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGetDCtl.c b/src/XGetDCtl.c
index f73a4e8..51ed0ae 100644
--- src/XGetDCtl.c
+++ src/XGetDCtl.c
@@ -61,6 +61,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceControl *
XGetDeviceControl(
@@ -68,8 +69,6 @@ XGetDeviceControl(
XDevice *dev,
int control)
{
- int size = 0;
- int nbytes, i;
XDeviceControl *Device = NULL;
XDeviceControl *Sav = NULL;
xDeviceState *d = NULL;
@@ -92,8 +91,12 @@ XGetDeviceControl(
goto out;
if (rep.length > 0) {
- nbytes = (long)rep.length << 2;
- d = (xDeviceState *) Xmalloc((unsigned)nbytes);
+ unsigned long nbytes;
+ size_t size = 0;
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = (unsigned long) rep.length << 2;
+ d = Xmalloc(nbytes);
+ }
if (!d) {
_XEatDataWords(dpy, rep.length);
goto out;
@@ -111,33 +114,46 @@ XGetDeviceControl(
case DEVICE_RESOLUTION:
{
xDeviceResolutionState *r;
+ size_t val_size;
r = (xDeviceResolutionState *) d;
- size += sizeof(XDeviceResolutionState) +
- (3 * sizeof(int) * r->num_valuators);
+ if (r->num_valuators >= (INT_MAX / (3 * sizeof(int))))
+ goto out;
+ val_size = 3 * sizeof(int) * r->num_valuators;
+ if ((sizeof(xDeviceResolutionState) + val_size) > nbytes)
+ goto out;
+ size += sizeof(XDeviceResolutionState) + val_size;
break;
}
case DEVICE_ABS_CALIB:
{
+ if (sizeof(xDeviceAbsCalibState) > nbytes)
+ goto out;
size += sizeof(XDeviceAbsCalibState);
break;
}
case DEVICE_ABS_AREA:
{
+ if (sizeof(xDeviceAbsAreaState) > nbytes)
+ goto out;
size += sizeof(XDeviceAbsAreaState);
break;
}
case DEVICE_CORE:
{
+ if (sizeof(xDeviceCoreState) > nbytes)
+ goto out;
size += sizeof(XDeviceCoreState);
break;
}
default:
+ if (d->length > nbytes)
+ goto out;
size += d->length;
break;
}
- Device = (XDeviceControl *) Xmalloc((unsigned)size);
+ Device = Xmalloc(size);
if (!Device)
goto out;
@@ -150,6 +166,7 @@ XGetDeviceControl(
int *iptr, *iptr2;
xDeviceResolutionState *r;
XDeviceResolutionState *R;
+ unsigned int i;
r = (xDeviceResolutionState *) d;
R = (XDeviceResolutionState *) Device;
--
cgit v0.9.0.2-2-gbebe

126
x11/libXi/files/patch-src_XGetDProp.c
View File

@ -1,126 +0,0 @@
From 17071c1c608247800b2ca03a35b1fcc9c4cabe6c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 20:30:55 +0000
Subject: Avoid integer overflow in XGetDeviceProperties() [CVE-2013-1984 7/8]
If the number of items as reported by the Xserver is too large, it
could overflow the calculation for the size of the buffer to copy the
reply into, causing memory corruption.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
--- src/XGetDProp.c.orig 2010-09-07 05:21:05.000000000 +0000
+++ src/XGetDProp.c 2013-05-29 16:46:04.000000000 +0000
@@ -38,6 +38,7 @@ in this Software without prior written a
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
int
XGetDeviceProperty(Display* dpy, XDevice* dev,
@@ -48,7 +49,8 @@ XGetDeviceProperty(Display* dpy, XDevice
{
xGetDevicePropertyReq *req;
xGetDevicePropertyReply rep;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
+ int ret = Success;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -81,30 +83,43 @@ XGetDeviceProperty(Display* dpy, XDevice
* data, but this last byte is null terminated and convenient for
* returning string properties, so the client doesn't then have to
* recopy the string to make it null terminated.
+ *
+ * Maximum item limits are set to both prevent integer overflow when
+ * calculating the amount of memory to malloc, and to limit how much
+ * memory will be used if a server provides an insanely high count.
*/
switch (rep.format) {
case 8:
- nbytes = rep.nItems;
- rbytes = rep.nItems + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XReadPad (dpy, (char *) *prop, nbytes);
+ if (rep.nItems < INT_MAX) {
+ nbytes = rep.nItems;
+ rbytes = rep.nItems + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XReadPad (dpy, (char *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
case 16:
- nbytes = rep.nItems << 1;
- rbytes = rep.nItems * sizeof (short) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XRead16Pad (dpy, (short *) *prop, nbytes);
+ if (rep.nItems < (INT_MAX / sizeof (short))) {
+ nbytes = rep.nItems << 1;
+ rbytes = rep.nItems * sizeof (short) + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XRead16Pad (dpy, (short *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
case 32:
- nbytes = rep.nItems << 2;
- rbytes = rep.nItems * sizeof (long) + 1;
- if (rbytes > 0 &&
- (*prop = (unsigned char *) Xmalloc ((unsigned)rbytes)))
- _XRead32 (dpy, (long *) *prop, nbytes);
+ if (rep.nItems < (INT_MAX / sizeof (long))) {
+ nbytes = rep.nItems << 2;
+ rbytes = rep.nItems * sizeof (long) + 1;
+ if ((*prop = Xmalloc (rbytes)))
+ _XRead32 (dpy, (long *) *prop, nbytes);
+ else
+ ret = BadAlloc;
+ }
break;
default:
@@ -112,17 +127,13 @@ XGetDeviceProperty(Display* dpy, XDevice
* This part of the code should never be reached. If it is,
* the server sent back a property with an invalid format.
*/
- nbytes = rep.length << 2;
- _XEatData(dpy, (unsigned long) nbytes);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadImplementation);
+ ret = BadImplementation;
}
if (! *prop) {
- _XEatData(dpy, (unsigned long) nbytes);
- UnlockDisplay(dpy);
- SyncHandle();
- return(BadAlloc);
+ _XEatDataWords(dpy, rep.length);
+ if (ret == Success)
+ ret = BadAlloc;
+ goto out;
}
(*prop)[rbytes - 1] = '\0';
}
@@ -131,9 +142,10 @@ XGetDeviceProperty(Display* dpy, XDevice
*actual_format = rep.format;
*nitems = rep.nItems;
*bytes_after = rep.bytesAfter;
+ out:
UnlockDisplay (dpy);
SyncHandle ();
- return Success;
+ return ret;
}

94
x11/libXi/files/patch-src_XGetFCtl.c
View File

@ -1,94 +0,0 @@
From 322ee3576789380222d4403366e4fd12fb24cb6a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetFeedbackControl() [CVE-2013-1984 2/8]
If the number of feedbacks reported by the server is large enough that
it overflows when multiplied by the size of the appropriate struct, or
if the total size of all the feedback structures overflows when added
together, then memory corruption can occur when more bytes are copied from
the X server reply than the size of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server, so
we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XGetFCtl.c b/src/XGetFCtl.c
index 28fab4d..bb50bf3 100644
--- src/XGetFCtl.c
+++ src/XGetFCtl.c
@@ -61,6 +61,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XFeedbackState *
XGetFeedbackControl(
@@ -68,8 +69,6 @@ XGetFeedbackControl(
XDevice *dev,
int *num_feedbacks)
{
- int size = 0;
- int nbytes, i;
XFeedbackState *Feedback = NULL;
XFeedbackState *Sav = NULL;
xFeedbackState *f = NULL;
@@ -91,9 +90,16 @@ XGetFeedbackControl(
goto out;
if (rep.length > 0) {
+ unsigned long nbytes;
+ size_t size = 0;
+ int i;
+
*num_feedbacks = rep.num_feedbacks;
- nbytes = (long)rep.length << 2;
- f = (xFeedbackState *) Xmalloc((unsigned)nbytes);
+
+ if (rep.length < (INT_MAX >> 2)) {
+ nbytes = rep.length << 2;
+ f = Xmalloc(nbytes);
+ }
if (!f) {
_XEatDataWords(dpy, rep.length);
goto out;
@@ -102,6 +108,10 @@ XGetFeedbackControl(
_XRead(dpy, (char *)f, nbytes);
for (i = 0; i < *num_feedbacks; i++) {
+ if (f->length > nbytes)
+ goto out;
+ nbytes -= f->length;
+
switch (f->class) {
case KbdFeedbackClass:
size += sizeof(XKbdFeedbackState);
@@ -116,6 +126,8 @@ XGetFeedbackControl(
{
xStringFeedbackState *strf = (xStringFeedbackState *) f;
+ if (strf->num_syms_supported >= (INT_MAX / sizeof(KeySym)))
+ goto out;
size += sizeof(XStringFeedbackState) +
(strf->num_syms_supported * sizeof(KeySym));
}
@@ -130,10 +142,12 @@ XGetFeedbackControl(
size += f->length;
break;
}
+ if (size > INT_MAX)
+ goto out;
f = (xFeedbackState *) ((char *)f + f->length);
}
- Feedback = (XFeedbackState *) Xmalloc((unsigned)size);
+ Feedback = Xmalloc(size);
if (!Feedback)
goto out;
--
cgit v0.9.0.2-2-gbebe

53
x11/libXi/files/patch-src_XGetProp.c
View File

@ -1,53 +0,0 @@
From 6dd6dc51a2935c72774be81e5cc2ba2c30e9feff Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XGetDeviceDontPropagateList() [CVE-2013-1984 3/8]
If the number of event classes reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
V2: EatData if count is 0 but length is > 0 to avoid XIOErrors
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
(limited to 'src/XGetProp.c')
--- src/XGetProp.c.orig 2011-12-20 00:28:44.000000000 +0000
+++ src/XGetProp.c 2013-05-29 16:49:01.000000000 +0000
@@ -60,6 +60,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XEventClass *
XGetDeviceDontPropagateList(
@@ -89,11 +90,11 @@ XGetDeviceDontPropagateList(
}
*count = rep.count;
- if (*count) {
- rlen = rep.length << 2;
- list = (XEventClass *) Xmalloc(rep.length * sizeof(XEventClass));
+ if (rep.length != 0) {
+ if ((rep.count != 0) && (rep.length < (INT_MAX / sizeof(XEventClass))))
+ list = Xmalloc(rep.length * sizeof(XEventClass));
if (list) {
- int i;
+ unsigned int i;
CARD32 ec;
/* read and assign each XEventClass separately because
@@ -105,7 +106,7 @@ XGetDeviceDontPropagateList(
list[i] = (XEventClass) ec;
}
} else
- _XEatData(dpy, (unsigned long)rlen);
+ _XEatDataWords(dpy, rep.length);
}
UnlockDisplay(dpy);

27
x11/libXi/files/patch-src_XIPassiveGrab.c
View File

@ -1,27 +0,0 @@
From 91434737f592e8f5cc1762383882a582b55fc03a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 07:37:23 +0000
Subject: memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
If the server returned more modifiers than the caller asked for,
we'd just keep copying past the end of the array provided by the
caller, writing over who-knows-what happened to be there.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c
index ac17c01..53b4084 100644
--- src/XIPassiveGrab.c
+++ src/XIPassiveGrab.c
@@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail,
return -1;
_XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
- for (i = 0; i < reply.num_modifiers; i++)
+ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
{
modifiers_inout[i].status = failed_mods[i].status;
modifiers_inout[i].modifiers = failed_mods[i].modifiers;
--
cgit v0.9.0.2-2-gbebe

52
x11/libXi/files/patch-src_XIProperties.c
View File

@ -1,52 +0,0 @@
From 242f92b490a695fbab244af5bad11b71f897c732 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XIGetProperty() [CVE-2013-1984 5/8]
If the number of items reported by the server is large enough that
it overflows when multiplied by the size of the appropriate item type,
then memory corruption can occur when more bytes are copied from the
X server reply than the size of the buffer we allocated to hold them.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XIProperties.c b/src/XIProperties.c
index 5e58fb6..32436d1 100644
--- src/XIProperties.c
+++ src/XIProperties.c
@@ -38,6 +38,7 @@
#include <X11/extensions/XInput2.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
Atom*
XIListProperties(Display* dpy, int deviceid, int *num_props_return)
@@ -170,7 +171,7 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
{
xXIGetPropertyReq *req;
xXIGetPropertyReply rep;
- long nbytes, rbytes;
+ unsigned long nbytes, rbytes;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -216,9 +217,11 @@ XIGetProperty(Display* dpy, int deviceid, Atom property, long offset,
* recopy the string to make it null terminated.
*/
- nbytes = rep.num_items * rep.format/8;
- rbytes = nbytes + 1;
- *data = Xmalloc(rbytes);
+ if (rep.num_items < (INT_MAX / (rep.format/8))) {
+ nbytes = rep.num_items * rep.format/8;
+ rbytes = nbytes + 1;
+ *data = Xmalloc(rbytes);
+ }
if (!(*data)) {
_XEatDataWords(dpy, rep.length);
--
cgit v0.9.0.2-2-gbebe

85
x11/libXi/files/patch-src_XISelEv.c
View File

@ -1,85 +0,0 @@
From 528419b9ef437e7eeafb41bf45e8ff7d818bd845 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 06:55:23 +0000
Subject: integer overflow in XIGetSelectedEvents() [CVE-2013-1984 6/8]
If the number of events or masks reported by the server is large enough
that it overflows when multiplied by the size of the appropriate struct,
or the sizes overflow as they are totaled up, then memory corruption can
occur when more bytes are copied from the X server reply than the size
of the buffer we allocated to hold them.
v2: check that reply size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XISelEv.c b/src/XISelEv.c
index f871222..0471bef 100644
--- src/XISelEv.c
+++ src/XISelEv.c
@@ -42,6 +42,7 @@ in this Software without prior written authorization from the author.
#include <X11/extensions/ge.h>
#include <X11/extensions/geproto.h>
#include "XIint.h"
+#include <limits.h>
int
XISelectEvents(Display* dpy, Window win, XIEventMask* masks, int num_masks)
@@ -101,13 +102,14 @@ out:
XIEventMask*
XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
{
- int i, len = 0;
+ unsigned int i, len = 0;
unsigned char *mask;
XIEventMask *mask_out = NULL;
xXIEventMask *mask_in = NULL, *mi;
xXIGetSelectedEventsReq *req;
xXIGetSelectedEventsReply reply;
XExtDisplayInfo *info = XInput_find_display(dpy);
+ size_t rbytes;
*num_masks_return = -1;
LockDisplay(dpy);
@@ -129,11 +131,16 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
goto out;
}
- mask_in = Xmalloc(reply.length * 4);
- if (!mask_in)
+ if (reply.length < (INT_MAX >> 2)) {
+ rbytes = (unsigned long) reply.length << 2;
+ mask_in = Xmalloc(rbytes);
+ }
+ if (!mask_in) {
+ _XEatDataWords(dpy, reply.length);
goto out;
+ }
- _XRead(dpy, (char*)mask_in, reply.length * 4);
+ _XRead(dpy, (char*)mask_in, rbytes);
/*
* This function takes interleaved xXIEventMask structs & masks off
@@ -148,8 +155,14 @@ XIGetSelectedEvents(Display* dpy, Window win, int *num_masks_return)
for (i = 0, mi = mask_in; i < reply.num_masks; i++)
{
- len += mi->mask_len * 4;
- mi = (xXIEventMask*)((char*)mi + mi->mask_len * 4);
+ unsigned int mask_bytes = mi->mask_len * 4;
+ len += mask_bytes;
+ if (len > INT_MAX)
+ goto out;
+ if ((sizeof(xXIEventMask) + mask_bytes) > rbytes)
+ goto out;
+ rbytes -= (sizeof(xXIEventMask) + mask_bytes);
+ mi = (xXIEventMask*)((char*)mi + mask_bytes);
mi++;
}
--
cgit v0.9.0.2-2-gbebe

83
x11/libXi/files/patch-src_XListDev.c
View File

@ -1,83 +0,0 @@
From 81b4df8ac6aa1520c41c3526961014a6f115cc46 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sun, 10 Mar 2013 08:16:22 +0000
Subject: sign extension issue in XListInputDevices() [CVE-2013-1995]
nptr is (signed) char, which can be negative, and will sign extend
when added to the int size, which means size can be subtracted from,
leading to allocating too small a buffer to hold the data being copied
from the X server's reply.
v2: check that string size fits inside the data read from the server,
so that we don't read out of bounds either
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XListDev.c b/src/XListDev.c
index 1c14b96..b85ff3c 100644
--- src/XListDev.c
+++ src/XListDev.c
@@ -73,7 +73,7 @@ static int pad_to_xid(int base_size)
return ((base_size + padsize - 1)/padsize) * padsize;
}
-static int
+static size_t
SizeClassInfo(xAnyClassPtr *any, int num_classes)
{
int size = 0;
@@ -170,7 +170,7 @@ XListInputDevices(
register Display *dpy,
int *ndevices)
{
- int size;
+ size_t size;
xListInputDevicesReq *req;
xListInputDevicesReply rep;
xDeviceInfo *list, *slist = NULL;
@@ -178,7 +178,7 @@ XListInputDevices(
XDeviceInfo *clist = NULL;
xAnyClassPtr any, sav_any;
XAnyClassPtr Any;
- char *nptr, *Nptr;
+ unsigned char *nptr, *Nptr;
int i;
unsigned long rlen;
XExtDisplayInfo *info = XInput_find_display(dpy);
@@ -217,9 +217,12 @@ XListInputDevices(
size += SizeClassInfo(&any, (int)list->num_classes);
}
- for (i = 0, nptr = (char *)any; i < *ndevices; i++) {
+ Nptr = ((unsigned char *)list) + rlen + 1;
+ for (i = 0, nptr = (unsigned char *)any; i < *ndevices; i++) {
size += *nptr + 1;
nptr += (*nptr + 1);
+ if (nptr > Nptr)
+ goto out;
}
clist = (XDeviceInfoPtr) Xmalloc(size);
@@ -245,8 +248,8 @@ XListInputDevices(
}
clist = sclist;
- nptr = (char *)any;
- Nptr = (char *)Any;
+ nptr = (unsigned char *)any;
+ Nptr = (unsigned char *)Any;
for (i = 0; i < *ndevices; i++, clist++) {
clist->name = (char *)Nptr;
memcpy(Nptr, nptr + 1, *nptr);
@@ -256,6 +259,7 @@ XListInputDevices(
}
}
+ out:
XFree((char *)slist);
UnlockDisplay(dpy);
SyncHandle();
--
cgit v0.9.0.2-2-gbebe

63
x11/libXi/files/patch-src_XQueryDv.c
View File

@ -1,63 +0,0 @@
From 5398ac0797f7516f2c9b8f2869a6c6d071437352 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 27 Apr 2013 05:48:36 +0000
Subject: unvalidated lengths in XQueryDeviceState() [CVE-2013-1998 3/3]
If the lengths given for each class state in the reply add up to more
than the rep.length, we could read past the end of the buffer allocated
to hold the data read from the server.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
diff --git a/src/XQueryDv.c b/src/XQueryDv.c
index 69c285b..3836777 100644
--- src/XQueryDv.c
+++ src/XQueryDv.c
@@ -59,6 +59,7 @@ SOFTWARE.
#include <X11/extensions/XInput.h>
#include <X11/extensions/extutil.h>
#include "XIint.h"
+#include <limits.h>
XDeviceState *
XQueryDeviceState(
@@ -66,8 +67,8 @@ XQueryDeviceState(
XDevice *dev)
{
int i, j;
- int rlen;
- int size = 0;
+ unsigned long rlen;
+ size_t size = 0;
xQueryDeviceStateReq *req;
xQueryDeviceStateReply rep;
XDeviceState *state = NULL;
@@ -87,9 +88,11 @@ XQueryDeviceState(
if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
goto out;
- rlen = rep.length << 2;
- if (rlen > 0) {
- data = Xmalloc(rlen);
+ if (rep.length > 0) {
+ if (rep.length < (INT_MAX >> 2)) {
+ rlen = (unsigned long) rep.length << 2;
+ data = Xmalloc(rlen);
+ }
if (!data) {
_XEatDataWords(dpy, rep.length);
goto out;
@@ -97,6 +100,10 @@ XQueryDeviceState(
_XRead(dpy, data, rlen);
for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
+ if (any->length > rlen)
+ goto out;
+ rlen -= any->length;
+
switch (any->class) {
case KeyClass:
size += sizeof(XKeyState);
--
cgit v0.9.0.2-2-gbebe