NEWS | 8 ++++++++ configure.ac | 2 +- src/via_outputs.c | 2 +- src/xvmc/xf86dri.c | 14 +++++++++++--- 4 files changed, 21 insertions(+), 5 deletions(-)
New commits: commit 0c17f81ad43d42958ab3871c9b5c5e9cea402256 Author: Xavier Bachelot <[email protected]> Date: Wed May 22 18:58:48 2013 +0200 Bump version to 0.3.3 diff --git a/NEWS b/NEWS index 917aea0..eb1b8f8 100644 --- a/NEWS +++ b/NEWS @@ -1,3 +1,11 @@ +openchrome 0.3.3 (23/05/2013) +----------------------------- + +This is a bugfix release. +- Fix integer overflow in libchromeXvMC (CVE-2013-1994). +- Various bug fixes and improvements. + + openchrome 0.3.2 (27/03/2013) ----------------------------- diff --git a/configure.ac b/configure.ac index 238e3af..b13cb2c 100644 --- a/configure.ac +++ b/configure.ac @@ -23,7 +23,7 @@ # Initialize Autoconf AC_PREREQ(2.57) AC_INIT([xf86-video-openchrome], - [0.3.2], + [0.3.3], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg&component=Driver/openchrome], [xf86-video-openchrome]) commit db309e3cd87a1279e8b592a692390755c528de4f Author: Alan Coopersmith <[email protected]> Date: Sat Apr 13 20:57:07 2013 -0700 integer overflow in uniDRIGetClientDriverName() in libchromeXvMC* [CVE-2013-1994 2/2] clientDriverNameLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c index fba7583..c5702ec 100644 --- a/src/xvmc/xf86dri.c +++ b/src/xvmc/xf86dri.c @@ -314,8 +314,11 @@ uniDRIGetClientDriverName(dpy, screen, ddxDriverMajorVersion, *ddxDriverPatchVersion = rep.ddxDriverPatchVersion; if (rep.length) { - if (!(*clientDriverName = - (char *)Xcalloc(rep.clientDriverNameLength + 1, 1))) { + if (rep.clientDriverNameLength < INT_MAX) + *clientDriverName = Xcalloc(rep.clientDriverNameLength + 1, 1); + else + *clientDriverName = NULL; + if (*clientDriverName == NULL) { _XEatData(dpy, ((rep.clientDriverNameLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); commit 68bf50ce4903ec93da59cea78e063ed7c3882d3e Author: Alan Coopersmith <[email protected]> Date: Sat Apr 13 20:49:43 2013 -0700 integer overflow in uniDRIOpenConnection() in libchromeXvMC* [CVE-2013-1994 1/2] busIdStringLength is a CARD32 and needs to be bounds checked before adding one to it to come up with the total size to allocate, to avoid integer overflow leading to underallocation and writing data from the network past the end of the allocated buffer. Reported-by: Ilja Van Sprundel <[email protected]> Signed-off-by: Alan Coopersmith <[email protected]> diff --git a/src/xvmc/xf86dri.c b/src/xvmc/xf86dri.c index 1feb232..fba7583 100644 --- a/src/xvmc/xf86dri.c +++ b/src/xvmc/xf86dri.c @@ -42,6 +42,7 @@ SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. #include <X11/extensions/Xext.h> #include <X11/extensions/extutil.h> #include "xf86dristr.h" +#include <limits.h> static XExtensionInfo _xf86dri_info_data; static XExtensionInfo *xf86dri_info = &_xf86dri_info_data; @@ -203,7 +204,11 @@ uniDRIOpenConnection(dpy, screen, hSAREA, busIdString) } #endif if (rep.length) { - if (!(*busIdString = (char *)Xcalloc(rep.busIdStringLength + 1, 1))) { + if (rep.busIdStringLength < INT_MAX) + *busIdString = Xcalloc(rep.busIdStringLength + 1, 1); + else + *busIdString = NULL; + if (*busIdString == NULL) { _XEatData(dpy, ((rep.busIdStringLength + 3) & ~3)); UnlockDisplay(dpy); SyncHandle(); commit 50cef9490c6a128613c5b9f3f19ef2e803088983 Author: Xavier Bachelot <[email protected]> Date: Tue May 21 21:24:41 2013 +0200 Probe TV encoder on all but the P4M900, unless we know the board has a TV encoder. Probing the TV encoder on the P4M900 chipset family when there is no such encoder is not safe. It is safe however on all other platforms. diff --git a/src/via_outputs.c b/src/via_outputs.c index 7e0c5e4..1271fc8 100644 --- a/src/via_outputs.c +++ b/src/via_outputs.c @@ -885,7 +885,7 @@ ViaOutputsDetect(ScrnInfoPtr pScrn) * disables the panel on P4M900 */ /* TV encoder */ - if (pVia->ActiveDevice & VIA_DEVICE_TV) + if ((pVia->Chipset != VIA_P4M900) || (pVia->ActiveDevice & VIA_DEVICE_TV)) via_tv_init(pScrn); if (pVia->ActiveDevice & VIA_DEVICE_DFP) { _______________________________________________ Openchrome-devel mailing list [email protected] http://lists.freedesktop.org/mailman/listinfo/openchrome-devel
