debian/changelog | 3 +++
src/glx/XF86dri.c | 15 +++++++++++----
2 files changed, 14 insertions(+), 4 deletions(-)
New commits:
commit ae31e4927dff215946ef29fe62adbb958517f352
Author: Emilio Pozuelo Monfort <po...@debian.org>
Date: Mon May 27 21:10:41 2013 +0200
Add commits for CVE-2013-1993
diff --git a/debian/changelog b/debian/changelog
index 6aff50a..3a6d665 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -64,6 +64,9 @@ mesa (9.1.3-1) UNRELEASED; urgency=low
[ Rico Tzschichholz ]
* Update packaging mesa packaging with xorg-edgers
+ [ Emilio Pozuelo Monfort ]
+ * integer overflows calculating memory needs for replies [CVE-2013-1993]
+
-- Julien Cristau <jcris...@debian.org> Fri, 03 Aug 2012 23:17:16 +0200
mesa (8.0.5-4) unstable; urgency=low
commit f8250a278b2d3f0ec700bc8f6f37745a097a444d
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri Apr 26 16:33:03 2013 -0700
integer overflow in XF86DRIGetClientDriverName() [CVE-2013-1993 2/2]
clientDriverNameLength is a CARD32 and needs to be bounds checked before
adding one to it to come up with the total size to allocate, to avoid
integer overflow leading to underallocation and writing data from the
network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index 77495ef..43290d6 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -305,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
*ddxDriverPatchVersion = rep.ddxDriverPatchVersion;
if (rep.length) {
- if (!
- (*clientDriverName =
- calloc(rep.clientDriverNameLength + 1, 1))) {
+ if (rep.clientDriverNameLength < INT_MAX)
+ *clientDriverName = calloc(rep.clientDriverNameLength + 1, 1);
+ else
+ *clientDriverName = NULL;
+ if (*clientDriverName == NULL) {
_XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
commit c709efa5d3a51c86797f6fe5495dd79f3b1f6018
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri Apr 26 16:31:58 2013 -0700
integer overflow in XF86DRIOpenConnection() [CVE-2013-1993 1/2]
busIdStringLength is a CARD32 and needs to be bounds checked before adding
one to it to come up with the total size to allocate, to avoid integer
overflow leading to underallocation and writing data from the network past
the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Julien Cristau <jcris...@debian.org>
diff --git a/src/glx/XF86dri.c b/src/glx/XF86dri.c
index b1cdc9b..77495ef 100644
--- a/src/glx/XF86dri.c
+++ b/src/glx/XF86dri.c
@@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#include <X11/extensions/Xext.h>
#include <X11/extensions/extutil.h>
#include "xf86dristr.h"
+#include <limits.h>
static XExtensionInfo _xf86dri_info_data;
static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen,
drm_handle_t * hSAREA,
}
if (rep.length) {
- if (!(*busIdString = calloc(rep.busIdStringLength + 1, 1))) {
+ if (rep.busIdStringLength < INT_MAX)
+ *busIdString = calloc(rep.busIdStringLength + 1, 1);
+ else
+ *busIdString = NULL;
+ if (*busIdString == NULL) {
_XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
UnlockDisplay(dpy);
SyncHandle();
--
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1uh2pg-0002z6...@vasks.debian.org
