Edit
IABSD.fr/xenocara/lib/libXi/src/XGetDProp.c
Branch :
-
Show log
Commit
-
Author :
matthieu
Date : 2013-05-23 22:42:07
Hash : 52f6d0ba
Message : Merge upstream fixes for several X libs vulnerabilities discovered by Ilja van Sprundel. CVE-2013-1981 X.org libX11 1.5.99.901 (1.6 RC1) integer overflows CVE-2013-1982 X.org libXext 1.3.1 integer overflows CVE-2013-1983 X.org libXfixes 5.0 integer overflows CVE-2013-1984 X.org libXi 1.7.1 integer overflows CVE-2013-1985 X.org libXinerama 1.1.2 integer overflows CVE-2013-1986 X.org libXrandr 1.4.0 integer overflows CVE-2013-1987 X.org libXrender 0.9.7 integer overflows CVE-2013-1988 X.org libXRes 1.0.6 integer overflows CVE-2013-1989 X.org libXv 1.0.7 integer overflows CVE-2013-1990 X.org libXvMC 1.0.7 integer overflows CVE-2013-1991 X.org libXxf86dga 1.1.3 integer overflows CVE-2013-1992 X.org libdmx 1.1.2 integer overflows CVE-2013-1994 X.org libchromeXvMC & libchromeXvMCPro in openChrome 0.3.2 integer overflows CVE-2013-1995 X.org libXi 1.7.1 sign extension issues CVE-2013-1996 X.org libFS 1.0.4 sign extension issues CVE-2013-1997 X.org libX11 1.5.99.901 (1.6 RC1) buffer overflows CVE-2013-1998 X.org libXi 1.7.1 buffer overflows CVE-2013-1999 X.org libXvMC 1.0.7 buffer overflows CVE-2013-2000 X.org libXxf86dga 1.1.3 buffer overflows CVE-2013-2001 X.org libXxf86vm 1.1.2 buffer overflows CVE-2013-2002 X.org libXt 1.1.3 buffer overflows CVE-2013-2003 X.org libXcursor 1.1.13 integer overflows CVE-2013-2004 X.org libX11 1.5.99.901 (1.6 RC1) unbounded recursion CVE-2013-2005 X.org libXt 1.1.3 memory corruption CVE-2013-2066 X.org libXv 1.0.7 buffer overflows
- lib/libXi/src/XGetDProp.c
-
/************************************************************ Copyright 2008 Peter Hutterer Permission to use, copy, modify, distribute, and sell this software and its documentation for any purpose is hereby granted without fee, provided that the above copyright notice appear in all copies and that both that copyright notice and this permission notice appear in supporting documentation. The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Except as contained in this notice, the name of the author shall not be used in advertising or otherwise to promote the sale, use or other dealings in this Software without prior written authorization from the author. */ /*********************************************************************** * XGetDeviceProperties - get an input device's properties. */ #ifdef HAVE_CONFIG_H #include <config.h> #endif #include <X11/Xlibint.h> #include <X11/extensions/XI.h> #include <X11/extensions/XIproto.h> #include <X11/extensions/XInput.h> #include <X11/extensions/extutil.h> #include "XIint.h" #include <limits.h> int XGetDeviceProperty(Display* dpy, XDevice* dev, Atom property, long offset, long length, Bool delete, Atom req_type, Atom *actual_type, int *actual_format, unsigned long *nitems, unsigned long *bytes_after, unsigned char **prop) { xGetDevicePropertyReq *req; xGetDevicePropertyReply rep; unsigned long nbytes, rbytes; int ret = Success; XExtDisplayInfo *info = XInput_find_display(dpy); LockDisplay(dpy); if (_XiCheckExtInit(dpy, XInput_Initial_Release, info) == -1) return 1; GetReq(GetDeviceProperty, req); req->reqType = info->codes->major_opcode; req->ReqType = X_GetDeviceProperty; req->deviceid = dev->device_id; req->property = property; req->type = req_type; req->longOffset = offset; req->longLength = length; req->delete = delete; if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) { UnlockDisplay (dpy); SyncHandle (); return 1; } *prop = (unsigned char *) NULL; if (rep.propertyType != None) { /* * One extra byte is malloced than is needed to contain the property * data, but this last byte is null terminated and convenient for * returning string properties, so the client doesn't then have to * recopy the string to make it null terminated. * * Maximum item limits are set to both prevent integer overflow when * calculating the amount of memory to malloc, and to limit how much * memory will be used if a server provides an insanely high count. */ switch (rep.format) { case 8: if (rep.nItems < INT_MAX) { nbytes = rep.nItems; rbytes = rep.nItems + 1; if ((*prop = Xmalloc (rbytes))) _XReadPad (dpy, (char *) *prop, nbytes); else ret = BadAlloc; } break; case 16: if (rep.nItems < (INT_MAX / sizeof (short))) { nbytes = rep.nItems << 1; rbytes = rep.nItems * sizeof (short) + 1; if ((*prop = Xmalloc (rbytes))) _XRead16Pad (dpy, (short *) *prop, nbytes); else ret = BadAlloc; } break; case 32: if (rep.nItems < (INT_MAX / sizeof (long))) { nbytes = rep.nItems << 2; rbytes = rep.nItems * sizeof (long) + 1; if ((*prop = Xmalloc (rbytes))) _XRead32 (dpy, (long *) *prop, nbytes); else ret = BadAlloc; } break; default: /* * This part of the code should never be reached. If it is, * the server sent back a property with an invalid format. */ ret = BadImplementation; } if (! *prop) { _XEatDataWords(dpy, rep.length); if (ret == Success) ret = BadAlloc; goto out; } (*prop)[rbytes - 1] = '\0'; } *actual_type = rep.propertyType; *actual_format = rep.format; *nitems = rep.nItems; *bytes_after = rep.bytesAfter; out: UnlockDisplay (dpy); SyncHandle (); return ret; }