Fixes from upstreams for vulnerabilities reported by Ilja Van Sprundel

Integer overflow in XF86DRIOpenConnection() and XF86DRIGetClientDriverName() [CVE-2013-1993] Reminded by jsg@. Thanks
2013-06-10 19:21:20 +00:00 · 2013-06-10 19:21:20 +00:00 · ff44df0816
commit ff44df0816
parent 120dbb0038
1 changed files with 11 additions and 4 deletions
--- a/dist/Mesa/src/glx/XF86dri.c
+++ b/dist/Mesa/src/glx/XF86dri.c
@ -43,6 +43,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
 #include <X11/extensions/Xext.h>
 #include <X11/extensions/extutil.h>
 #include "xf86dristr.h"
+#include <limits.h>

 static XExtensionInfo _xf86dri_info_data;
 static XExtensionInfo *xf86dri_info = &_xf86dri_info_data;
@ -201,7 +202,11 @@ XF86DRIOpenConnection(Display * dpy, int screen, drm_handle_t * hSAREA,
   }

   if (rep.length) {
-      if (!(*busIdString = (char *) Xcalloc(rep.busIdStringLength + 1, 1))) {
+      if (rep.busIdStringLength < INT_MAX)
+         *busIdString = Xcalloc(rep.busIdStringLength + 1, 1);
+      else
+         *busIdString = NULL;
+      if (*busIdString == NULL) {
         _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3));
         UnlockDisplay(dpy);
         SyncHandle();
@ -300,9 +305,11 @@ XF86DRIGetClientDriverName(Display * dpy, int screen,
   *ddxDriverPatchVersion = rep.ddxDriverPatchVersion;

   if (rep.length) {
-      if (!
-          (*clientDriverName =
-           (char *) Xcalloc(rep.clientDriverNameLength + 1, 1))) {
+      if (rep.clientDriverNameLength < INT_MAX)
+         *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1);
+      else
+         *clientDriverName = NULL;
+      if (*clientDriverName == NULL) {
         _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3));
         UnlockDisplay(dpy);
         SyncHandle();