autogen.sh | 4 ++-
configure.ac | 9 +++++--
src/Filter.c | 41 ++++++++++++++++++++------------
src/Xrender.c | 69 +++++++++++++++++++++++++++++++++++--------------------
src/Xrenderint.h | 14 +++++++++++
5 files changed, 94 insertions(+), 43 deletions(-)
New commits:
commit 61236e831f8cc0761b26b49e37a4df9c187aa0ba
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Thu Jun 13 22:41:00 2013 -0700
libXrender 0.9.8
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/configure.ac b/configure.ac
index 7c2496c..4e6b271 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,7 +29,7 @@ AC_PREREQ([2.60])
# digit in the version number to track changes which don't affect the
# protocol, so Xrender version l.n.m corresponds to protocol version l.n
#
-AC_INIT(libXrender, [0.9.7],
+AC_INIT(libXrender, [0.9.8],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXrender])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h])
commit 786f78fd8df6d165ccbc81f306fd9f22b5c1551c
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryPictIndexValues() [CVE-2013-1987 3/3]
The length and numIndexValues members of the reply are both CARD32 and
need to be bounds checked before multiplying by sizeof (XIndexValue) to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/src/Xrender.c b/src/Xrender.c
index a62c753..3102eb2 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -844,7 +844,7 @@ XRenderQueryPictIndexValues(Display *dpy,
xRenderQueryPictIndexValuesReq *req;
xRenderQueryPictIndexValuesReply rep;
XIndexValue *values;
- int nbytes, nread, rlength, i;
+ unsigned int nbytes, nread, rlength, i;
RenderCheckExtension (dpy, info, NULL);
@@ -860,15 +860,22 @@ XRenderQueryPictIndexValues(Display
*dpy,
return NULL;
}
- /* request data length */
- nbytes = (long)rep.length << 2;
- /* bytes of actual data in the request */
- nread = rep.numIndexValues * SIZEOF (xIndexValue);
- /* size of array returned to application */
- rlength = rep.numIndexValues * sizeof (XIndexValue);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numIndexValues < (INT_MAX / sizeof (XIndexValue)))) {
+ /* request data length */
+ nbytes = rep.length << 2;
+ /* bytes of actual data in the request */
+ nread = rep.numIndexValues * SIZEOF (xIndexValue);
+ /* size of array returned to application */
+ rlength = rep.numIndexValues * sizeof (XIndexValue);
+
+ /* allocate returned data */
+ values = Xmalloc (rlength);
+ } else {
+ nbytes = nread = rlength = 0;
+ values = NULL;
+ }
- /* allocate returned data */
- values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
_XEatDataWords (dpy, rep.length);
commit 9e577d40322b9e3d8bdefec0eefa44d8ead451a4
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri Apr 12 23:02:11 2013 -0700
integer overflow in XRenderQueryFormats() [CVE-2013-1987 2/3]
The length, numFormats, numScreens, numDepths, and numVisuals members of
the reply are all CARD32 and need to be bounds checked before multiplying
and adding them together to come up with the total size to allocate, to
avoid integer overflow leading to underallocation and writing data from
the network past the end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/src/Xrender.c b/src/Xrender.c
index 5c8e5f5..a62c753 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -26,6 +26,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XRenderExtInfo XRenderExtensionInfo;
char XRenderExtensionName[] = RENDER_NAME;
@@ -411,8 +412,8 @@ XRenderQueryFormats (Display *dpy)
CARD32 *xSubpixel;
void *xData;
int nf, ns, nd, nv;
- int rlength;
- int nbytes;
+ unsigned long rlength;
+ unsigned long nbytes;
RenderCheckExtension (dpy, info, 0);
LockDisplay (dpy);
@@ -458,18 +459,29 @@ XRenderQueryFormats (Display *dpy)
if (async_state.major_version == 0 && async_state.minor_version < 6)
rep.numSubpixel = 0;
- xri = (XRenderInfo *) Xmalloc (sizeof (XRenderInfo) +
- rep.numFormats * sizeof (XRenderPictFormat) +
- rep.numScreens * sizeof (XRenderScreen) +
- rep.numDepths * sizeof (XRenderDepth) +
- rep.numVisuals * sizeof (XRenderVisual));
- rlength = (rep.numFormats * sizeof (xPictFormInfo) +
- rep.numScreens * sizeof (xPictScreen) +
- rep.numDepths * sizeof (xPictDepth) +
- rep.numVisuals * sizeof (xPictVisual) +
- rep.numSubpixel * 4);
- xData = (void *) Xmalloc (rlength);
- nbytes = (int) rep.length << 2;
+ if ((rep.numFormats < ((INT_MAX / 4) / sizeof (XRenderPictFormat))) &&
+ (rep.numScreens < ((INT_MAX / 4) / sizeof (XRenderScreen))) &&
+ (rep.numDepths < ((INT_MAX / 4) / sizeof (XRenderDepth))) &&
+ (rep.numVisuals < ((INT_MAX / 4) / sizeof (XRenderVisual))) &&
+ (rep.numSubpixel < ((INT_MAX / 4) / 4)) &&
+ (rep.length < (INT_MAX >> 2)) ) {
+ xri = Xmalloc (sizeof (XRenderInfo) +
+ (rep.numFormats * sizeof (XRenderPictFormat)) +
+ (rep.numScreens * sizeof (XRenderScreen)) +
+ (rep.numDepths * sizeof (XRenderDepth)) +
+ (rep.numVisuals * sizeof (XRenderVisual)));
+ rlength = ((rep.numFormats * sizeof (xPictFormInfo)) +
+ (rep.numScreens * sizeof (xPictScreen)) +
+ (rep.numDepths * sizeof (xPictDepth)) +
+ (rep.numVisuals * sizeof (xPictVisual)) +
+ (rep.numSubpixel * 4));
+ xData = Xmalloc (rlength);
+ nbytes = (unsigned long) rep.length << 2;
+ } else {
+ xri = NULL;
+ xData = NULL;
+ rlength = nbytes = 0;
+ }
if (!xri || !xData || nbytes < rlength)
{
commit e52853974664289fe42a92909667ed77cfa1cec5
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri Apr 12 22:45:20 2013 -0700
integer overflow in XRenderQueryFilters() [CVE-2013-1987 1/3]
The length, numFilters & numAliases members of the reply are all CARD32
and need to be bounds checked before multiplying & adding them together
to come up with the total size to allocate, to avoid integer overflow
leading to underallocation and writing data from the network past the
end of the allocated buffer.
Reported-by: Ilja Van Sprundel <ivansprun...@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/src/Filter.c b/src/Filter.c
index 924b2a3..edfa572 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -25,6 +25,7 @@
#include <config.h>
#endif
#include "Xrenderint.h"
+#include <limits.h>
XFilters *
XRenderQueryFilters (Display *dpy, Drawable drawable)
@@ -37,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
char *name;
char len;
int i;
- long nbytes, nbytesAlias, nbytesName;
+ unsigned long nbytes, nbytesAlias, nbytesName;
if (!RenderHasExtension (info))
return NULL;
@@ -60,22 +61,32 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
SyncHandle ();
return NULL;
}
- /*
- * Compute total number of bytes for filter names
- */
- nbytes = (long)rep.length << 2;
- nbytesAlias = rep.numAliases * 2;
- if (rep.numAliases & 1)
- nbytesAlias += 2;
- nbytesName = nbytes - nbytesAlias;
/*
- * Allocate one giant block for the whole data structure
+ * Limit each component of combined size to 1/4 the max, which is far
+ * more than they should ever possibly need.
*/
- filters = Xmalloc (sizeof (XFilters) +
- rep.numFilters * sizeof (char *) +
- rep.numAliases * sizeof (short) +
- nbytesName);
+ if ((rep.length < (INT_MAX >> 2)) &&
+ (rep.numFilters < ((INT_MAX / 4) / sizeof (char *))) &&
+ (rep.numAliases < ((INT_MAX / 4) / sizeof (short)))) {
+ /*
+ * Compute total number of bytes for filter names
+ */
+ nbytes = (unsigned long)rep.length << 2;
+ nbytesAlias = rep.numAliases * 2;
+ if (rep.numAliases & 1)
+ nbytesAlias += 2;
+ nbytesName = nbytes - nbytesAlias;
+
+ /*
+ * Allocate one giant block for the whole data structure
+ */
+ filters = Xmalloc (sizeof (XFilters) +
+ (rep.numFilters * sizeof (char *)) +
+ (rep.numAliases * sizeof (short)) +
+ nbytesName);
+ } else
+ filters = NULL;
if (!filters)
{
commit 73e77eb21d649edc1ce1746739f9358e337b2935
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri May 3 22:48:11 2013 -0700
Use _XEatDataWords to avoid overflow of rep.length bit shifting
rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/configure.ac b/configure.ac
index 19dce7a..7c2496c 100644
--- a/configure.ac
+++ b/configure.ac
@@ -58,6 +58,12 @@ AC_SUBST(RENDER_VERSION)
# Obtain compiler/linker options for depedencies
PKG_CHECK_MODULES(RENDER, x11 renderproto >= $RENDER_VERSION)
+# Check for _XEatDataWords function that may be patched into older Xlib release
+SAVE_LIBS="$LIBS"
+LIBS="$RENDER_LIBS"
+AC_CHECK_FUNCS([_XEatDataWords])
+LIBS="$SAVE_LIBS"
+
AC_CONFIG_FILES([Makefile
src/Makefile
xrender.pc])
diff --git a/src/Filter.c b/src/Filter.c
index 5fe9df9..924b2a3 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -79,7 +79,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
if (!filters)
{
- _XEatData (dpy, (unsigned long) rep.length << 2);
+ _XEatDataWords(dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/Xrender.c b/src/Xrender.c
index 769503a..5c8e5f5 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -475,7 +475,7 @@ XRenderQueryFormats (Display *dpy)
{
if (xri) Xfree (xri);
if (xData) Xfree (xData);
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return 0;
@@ -859,7 +859,7 @@ XRenderQueryPictIndexValues(Display *dpy,
values = (XIndexValue *)Xmalloc (rlength);
if (!values)
{
- _XEatData (dpy, nbytes);
+ _XEatDataWords (dpy, rep.length);
UnlockDisplay (dpy);
SyncHandle ();
return NULL;
diff --git a/src/Xrenderint.h b/src/Xrenderint.h
index 57b13da..daaa6fe 100644
--- a/src/Xrenderint.h
+++ b/src/Xrenderint.h
@@ -109,4 +109,18 @@ XRenderFindDisplay (Display *dpy);
#define DataInt32(dpy,d,len) Data(dpy,(char *) (d),len)
#endif
+#ifndef HAVE__XEATDATAWORDS
+#include <X11/Xmd.h> /* for LONG64 on 64-bit platforms */
+#include <limits.h>
+
+static inline void _XEatDataWords(Display *dpy, unsigned long n)
+{
+# ifndef LONG64
+ if (n >= (ULONG_MAX >> 2))
+ _XIOError(dpy);
+# endif
+ _XEatData (dpy, n << 2);
+}
+#endif
+
#endif /* _XRENDERINT_H_ */
commit 1af52cb334377611233d7dc156bc1e6f7923756d
Author: Colin Walters <walt...@verbum.org>
Date: Wed Jan 4 17:37:06 2012 -0500
autogen.sh: Implement GNOME Build API
http://people.gnome.org/~walters/docs/build-api.txt
Signed-off-by: Adam Jackson <a...@redhat.com>
diff --git a/autogen.sh b/autogen.sh
index 904cd67..fc34bd5 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -9,4 +9,6 @@ cd $srcdir
autoreconf -v --install || exit 1
cd $ORIGDIR || exit $?
-$srcdir/configure --enable-maintainer-mode "$@"
+if test -z "$NOCONFIGURE"; then
+ $srcdir/configure "$@"
+fi
commit a4265cd7a69349f1697f81e18303a77358e27f33
Author: Adam Jackson <a...@redhat.com>
Date: Tue Jan 15 14:28:48 2013 -0500
configure: Remove AM_MAINTAINER_MODE
Signed-off-by: Adam Jackson <a...@redhat.com>
diff --git a/configure.ac b/configure.ac
index bf7fe60..19dce7a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -36,7 +36,6 @@ AC_CONFIG_HEADERS([config.h])
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
-AM_MAINTAINER_MODE
# Initialize libtool
AC_PROG_LIBTOOL
--
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1utlze-0007kw...@vasks.debian.org
