Author: branden
Date: 2003-09-27 03:28:04 -0500 (Sat, 27 Sep 2003)
New Revision: 593
Modified:
branches/4.3.0/sid/debian/changelog
branches/4.3.0/sid/debian/patches/000_post430.diff
Log:
SECURITY: Fix overflows in the test for integer overflows. Reported by
Paul Anderson.
- debian/patches/000_post430.diff
Modified: branches/4.3.0/sid/debian/changelog
===================================================================
--- branches/4.3.0/sid/debian/changelog 2003-09-27 07:42:15 UTC (rev 592)
+++ branches/4.3.0/sid/debian/changelog 2003-09-27 08:28:04 UTC (rev 593)
@@ -1,4 +1,4 @@
-xfree86 (4.3.0-0pre1v3) experimental; urgency=low
+xfree86 (4.3.0-0pre1v3) experimental; urgency=high
* Update pam_setcred() security fix to xdm to use pam_error and
pam_strerror().
@@ -12,8 +12,12 @@
- debian/rules: stop constructing package
- debian/xlibmesa-drm-src.install: deleted
- -- Branden Robinson <[EMAIL PROTECTED]> Tue, 23 Sep 2003 15:00:38 -0500
+ * SECURITY: Fix overflows in the test for integer overflows. Reported by
+ Paul Anderson.
+ - debian/patches/000_post430.diff
+ -- Branden Robinson <[EMAIL PROTECTED]> Sat, 27 Sep 2003 03:26:49 -0500
+
xfree86 (4.3.0-0pre1v2) experimental; urgency=low
* debian/patches/911_debian_XF86Config_to_XF86Config-4.diff: merge this
Modified: branches/4.3.0/sid/debian/patches/000_post430.diff
===================================================================
--- branches/4.3.0/sid/debian/patches/000_post430.diff 2003-09-27 07:42:15 UTC
(rev 592)
+++ branches/4.3.0/sid/debian/patches/000_post430.diff 2003-09-27 08:28:04 UTC
(rev 593)
@@ -241,6 +241,9 @@
(Alan Coopersmith, Marc La France, Oswald Buddenhagen, Matthieu Herrb,
Nicolas JOLY, Jason L. Wright, Joel Ray Holveck).
+(xc/lib/FS/{FSFtNames.c,FSGetCats.c,FSListCats.c,FSListExt.c}):
+ Fix overflows in the test for integer overflows. Reported by Paul Anderson.
+
Index: xc/config/cf/NetBSD.cf
===================================================================
RCS file: /cvs/xc/config/cf/NetBSD.cf,v
@@ -673,17 +676,17 @@
===================================================================
RCS file: /cvs/xc/lib/FS/FSFtNames.c,v
retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
--- xc/lib/FS/FSFtNames.c 14 Dec 2001 19:53:32 -0000 1.2
-+++ xc/lib/FS/FSFtNames.c 1 Sep 2003 21:05:35 -0000 1.2.4.2
++++ xc/lib/FS/FSFtNames.c 25 Sep 2003 20:58:39 -0000 1.2.4.3
@@ -78,7 +78,8 @@
(SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
return (char **) 0;
- if (rep.nFonts) {
+ if (rep.nFonts && rep.nFonts <= SIZE_MAX / sizeof(char *)
-+ && rep.length <= ((SIZE_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
++ && rep.length <= (SIZE_MAX >> 2)) {
flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
c = (char *) FSmalloc((unsigned) (rlen + 1));
@@ -691,17 +694,17 @@
===================================================================
RCS file: /cvs/xc/lib/FS/FSGetCats.c,v
retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
--- xc/lib/FS/FSGetCats.c 14 Dec 2001 19:53:32 -0000 1.2
-+++ xc/lib/FS/FSGetCats.c 1 Sep 2003 21:05:35 -0000 1.2.4.2
++++ xc/lib/FS/FSGetCats.c 25 Sep 2003 20:58:39 -0000 1.2.4.3
@@ -72,9 +72,10 @@
SyncHandle();
return (char **) NULL;
}
- if (rep.num_catalogues) {
+ if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
-+ && rep.length <= ((SIZE_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
++ && rep.length <= (SIZE_MAX >> 2)) {
list = (char **)
- FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
+ FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
@@ -712,17 +715,17 @@
===================================================================
RCS file: /cvs/xc/lib/FS/FSListCats.c,v
retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
--- xc/lib/FS/FSListCats.c 14 Dec 2001 19:53:32 -0000 1.2
-+++ xc/lib/FS/FSListCats.c 1 Sep 2003 21:05:36 -0000 1.2.4.2
++++ xc/lib/FS/FSListCats.c 25 Sep 2003 20:58:39 -0000 1.2.4.3
@@ -78,7 +78,8 @@
(SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
return (char **) 0;
- if (rep.num_catalogues) {
+ if (rep.num_catalogues && rep.num_catalogues <= SIZE_MAX/sizeof(char *)
-+ && rep.length <= ((SIZE_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
++ && rep.length <= (SIZE_MAX>>2)) {
clist = (char **)
FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
@@ -730,17 +733,17 @@
===================================================================
RCS file: /cvs/xc/lib/FS/FSListExt.c,v
retrieving revision 1.2
-retrieving revision 1.2.4.2
-diff -u -r1.2 -r1.2.4.2
+retrieving revision 1.2.4.3
+diff -u -r1.2 -r1.2.4.3
--- xc/lib/FS/FSListExt.c 14 Dec 2001 19:53:32 -0000 1.2
-+++ xc/lib/FS/FSListExt.c 1 Sep 2003 21:05:36 -0000 1.2.4.2
++++ xc/lib/FS/FSListExt.c 25 Sep 2003 20:58:39 -0000 1.2.4.3
@@ -72,7 +72,8 @@
SyncHandle();
return (char **) NULL;
}
- if (rep.nExtensions) {
+ if (rep.nExtensions && rep.nExtensions <= SIZE_MAX / sizeof(char *)
-+ && rep.length <= ((SIZE_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
++ && rep.length <= (SIZE_MAX>>2)) {
list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
c = (char *) FSmalloc((unsigned) rlen + 1);
