Skip to main content

[xwin-commits] [solaris-x11~x-s11-update-clone:1349] 16864396 XvMC regression due to upstream patch

  • From:
  • To:
  • Subject: [xwin-commits] [solaris-x11~x-s11-update-clone:1349] 16864396 XvMC regression due to upstream patch
  • Date: Sat, 25 May 2013 00:20:59 +0000

Project:    solaris-x11
Repository: x-s11-update-clone
Revision:   1349
Author:     x-hg
Date:       2013-05-24 22:50:17 UTC
Link:       

Log Message:
------------
16862421 setxkbmap does not set any layout
16864396 XvMC regression due to upstream patch


Revisions:
----------
1348
1349


Modified Paths:
---------------
open-src/lib/libX11/CVE-2013-1997.patch
open-src/lib/libXvMC/CVE-2013-1990.patch


Diffs:
------
diff -r 375444972d0d -r c05f6f3f5f1a open-src/lib/libX11/CVE-2013-1997.patch
--- a/open-src/lib/libX11/CVE-2013-1997.patch   Wed May 22 11:43:48 2013 -0700
+++ b/open-src/lib/libX11/CVE-2013-1997.patch   Fri May 24 11:40:22 2013 -0700
@@ -787,3 +787,51 @@
 -- 
 1.7.9.2
 
+From a3bdd2b090915fe0163b062f0e6576fe05dd332e Mon Sep 17 00:00:00 2001
+From: Julien Cristau 
< >
+Date: Thu, 23 May 2013 20:39:46 +0200
+Subject: [PATCH:libX11] xkb: fix off-by-one in _XkbReadGetNamesReply and
+ _XkbReadVirtualModMap
+
+The size of the arrays is max_key_code + 1.  This makes these functions
+consistent with the other checks added for CVE-2013-1997.
+
+Also check the XkbGetNames reply when names->keys was just allocated.
+
+Signed-off-by: Julien Cristau 
< >
+Tested-by: Colin Walters 
< >
+Reviewed-by: Alan Coopersmith 
< >
+---
+ src/xkb/XKBGetMap.c |    2 +-
+ src/xkb/XKBNames.c  |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/xkb/XKBGetMap.c b/src/xkb/XKBGetMap.c
+index 0875dfd..c73e655 100644
+--- a/src/xkb/XKBGetMap.c
++++ b/src/xkb/XKBGetMap.c
+@@ -426,7 +426,7 @@ XkbServerMapPtr            srv;

+     if ( rep->totalVModMapKeys>0 ) {
+       if (((int) rep->firstVModMapKey + rep->nVModMapKeys)
+-           > xkb->max_key_code)
++           > xkb->max_key_code + 1)
+           return BadLength;
+       if (((xkb->server==NULL)||(xkb->server->vmodmap==NULL))&&
+           (XkbAllocServerMap(xkb,XkbVirtualModMapMask,0)!=Success)) {
+diff --git a/src/xkb/XKBNames.c b/src/xkb/XKBNames.c
+index 0f1e48e..3a8860b 100644
+--- a/src/xkb/XKBNames.c
++++ b/src/xkb/XKBNames.c
+@@ -180,7 +180,7 @@ _XkbReadGetNamesReply(     Display *               dpy,
+           nKeys= xkb->max_key_code+1;
+           names->keys= _XkbTypedCalloc(nKeys,XkbKeyNameRec);
+       }
+-      else if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code)
++      if ( ((int)rep->firstKey + rep->nKeys) > xkb->max_key_code + 1)
+           goto BAILOUT;
+       if (names->keys!=NULL) {
+           if (!_XkbCopyFromReadBuffer(&buf,
+-- 
+1.7.9.2
+


diff -r c05f6f3f5f1a -r f430f604f391 open-src/lib/libXvMC/CVE-2013-1990.patch
--- a/open-src/lib/libXvMC/CVE-2013-1990.patch  Fri May 24 11:40:22 2013 -0700
+++ b/open-src/lib/libXvMC/CVE-2013-1990.patch  Fri May 24 15:50:17 2013 -0700
@@ -327,3 +327,42 @@
 -- 
 1.7.9.2
 
+From 8c164524d229adb6141fdac8336b3823e7fe1a5d Mon Sep 17 00:00:00 2001
+From: Dave Airlie 
< >
+Date: Fri, 24 May 2013 14:47:30 +1000
+Subject: [PATCH:libXvMC] Multiple unvalidated patches in CVE-2013-1999
+
+Al Viro pointed out that Debian started segfaulting in Xine for him,
+
+Reported-by: Al Viro
+Signed-off-by: Dave Airlie 
< >
+---
+ src/XvMC.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/src/XvMC.c b/src/XvMC.c
+index cb42487..74c8b85 100644
+--- a/src/XvMC.c
++++ b/src/XvMC.c
+@@ -585,15 +585,15 @@ Status XvMCGetDRInfo(Display *dpy, XvPortID port,
+       if (*name && *busID && tmpBuf) {
+           _XRead(dpy, tmpBuf, realSize);
+           strncpy(*name,tmpBuf,rep.nameLen);
+-          name[rep.nameLen - 1] = '\0';
++          (*name)[rep.nameLen - 1] = '\0';
+           strncpy(*busID,tmpBuf+rep.nameLen,rep.busIDLen);
+-          busID[rep.busIDLen - 1] = '\0';
++          (*busID)[rep.busIDLen - 1] = '\0';
+           XFree(tmpBuf);
+       } else {
+           XFree(*name);
+           *name = NULL;
+           XFree(*busID);
+-          *name = NULL;
++          *busID = NULL;
+           XFree(tmpBuf);

+           _XEatDataWords(dpy, rep.length);
+-- 
+1.7.9.2
+






[xwin-commits] [solaris-x11~x-s11-update-clone:1349] 16864396 XvMC regression due to upstream patch

x-hg 05/25/2013
 
 
Close
loading
Please Confirm
Close