main/libxxf86dga: fix CVE-2013-1991,CVE-2013-2000

ref #1931

main/libxxf86dga/0001-Use-_XEatDataWords-to-avoid-overflow-of-rep.length-s.patch

@@ -0,0 +1,76 @@
+From 6fa471be7a005bde97bcb5ca5a17662ea8d32587 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:05:25 -0700
+Subject: [PATCH 1/6] Use _XEatDataWords to avoid overflow of rep.length
+ shifting
+
+rep.length is a CARD32, so rep.length << 2 could overflow in 32-bit builds
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ configure.ac   |  6 ++++++
+ src/XF86DGA2.c | 17 ++++++++++++++++-
+ 2 files changed, 22 insertions(+), 1 deletion(-)
+
+diff --git a/configure.ac b/configure.ac
+index 0558326..955fa3c 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -22,6 +22,12 @@ XORG_CHECK_MALLOC_ZERO
+ # Obtain compiler/linker options for depedencies
+ PKG_CHECK_MODULES(XXF86DGA, xproto x11 xextproto xext [xf86dgaproto >= 2.0.99.2])
+ 
++# Check for _XEatDataWords function that may be patched into older Xlib release
++SAVE_LIBS="$LIBS"
++LIBS="$XXF86DGA_LIBS"
++AC_CHECK_FUNCS([_XEatDataWords])
++LIBS="$SAVE_LIBS"
++
+ AC_CONFIG_FILES([Makefile
+ 		src/Makefile
+ 		man/Makefile
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 964de18..c17c7f1 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -6,6 +6,9 @@ Copyright (c) 1995,1996  The XFree86 Project, Inc
+ */
+ 
+ /* THIS IS NOT AN X CONSORTIUM STANDARD */
++#ifdef HAVE_CONFIG_H
++#include <config.h>
++#endif
+ 
+ #ifdef __UNIXOS2__ /* needed here to override certain constants in X headers */
+ #define INCL_DOS
+@@ -22,6 +25,18 @@ Copyright (c) 1995,1996  The XFree86 Project, Inc
+ #include <stdio.h>
+ 
+ #include <stdint.h>
++#include <limits.h>
++
++#ifndef HAVE__XEATDATAWORDS
++static inline void _XEatDataWords(Display *dpy, unsigned long n)
++{
++# ifndef LONG64
++    if (n >= (ULONG_MAX >> 2))
++        _XIOError(dpy);
++# endif
++    _XEatData (dpy, n << 2);
++}
++#endif
+ 
+ /* If you change this, change the Bases[] array below as well */
+ #define MAX_HEADS 16
+@@ -342,7 +357,7 @@ XDGAMode* XDGAQueryModes(
+ 	      }
+ 	      *num = rep.number;
+ 	   } else
+-		_XEatData(dpy, rep.length << 2);
++		_XEatDataWords(dpy, rep.length);
+ 	}
+     }
+ 
+-- 
+1.8.2.3
+

main/libxxf86dga/0002-integer-overflow-in-XDGAQueryModes-CVE-2013-1991-1-2.patch

@@ -0,0 +1,52 @@
+From f4a8dd63af518640468d82948f450aad4b2b1e6a Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:18:57 -0700
+Subject: [PATCH 2/6] integer overflow in XDGAQueryModes() [CVE-2013-1991 1/2]
+
+number is a CARD32 and needs to be bounds checked before multiplying by
+sizeof(XDGAmode) to come up with the total size to allocate, to avoid
+integer overflow leading to underallocation and writing data from the
+network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 19 ++++++++++++-------
+ 1 file changed, 12 insertions(+), 7 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index c17c7f1..8830266 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -312,16 +312,21 @@ XDGAMode* XDGAQueryModes(
+     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+ 	if(rep.length) {
+ 	   xXDGAModeInfo info;
+-	   int i, size;
++	   unsigned long size = 0;
+ 	   char *offset;
+ 
+-	   size = rep.length << 2;
+-	   size -= rep.number * sz_xXDGAModeInfo; /* find text size */
+-	   modes = (XDGAMode*)Xmalloc((rep.number * sizeof(XDGAMode)) + size);
+-	   offset = (char*)(&modes[rep.number]); /* start of text */
+-
++	   if ((rep.length < (INT_MAX >> 2)) &&
++	       (rep.number < (INT_MAX / sizeof(XDGAMode)))) {
++	       size = rep.length << 2;
++	       if (size > (rep.number * sz_xXDGAModeInfo)) {
++		   size -= rep.number * sz_xXDGAModeInfo; /* find text size */
++		   modes = Xmalloc((rep.number * sizeof(XDGAMode)) + size);
++		   offset = (char*)(&modes[rep.number]);  /* start of text */
++	       }
++	   }
+ 
+-	   if(modes) {
++	   if (modes != NULL) {
++	      unsigned int i;
+ 	      for(i = 0; i < rep.number; i++) {
+ 		_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
+ 
+-- 
+1.8.2.3
+

main/libxxf86dga/0003-buffer-overflow-in-XDGAQueryModes-CVE-2013-2000-1-2.patch

@@ -0,0 +1,43 @@
+From 5dcfa6a8cf2df39828da733e5945e730518c27b3 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:27:10 -0700
+Subject: [PATCH 3/6] buffer overflow in XDGAQueryModes() [CVE-2013-2000 1/2]
+
+When reading the name strings for the modes off the network, we never
+checked to make sure the length of the individual name strings didn't
+overflow the size of the buffer we'd allocated based on the reported
+rep.length for the total reply size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 8830266..b5145ee 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -356,9 +356,16 @@ XDGAMode* XDGAQueryModes(
+ 		modes[i].reserved1 = info.reserved1;
+ 		modes[i].reserved2 = info.reserved2;
+ 
+-		_XRead(dpy, offset, info.name_size);
+-		modes[i].name = offset;
+-		offset += info.name_size;
++		if (info.name_size > 0 && info.name_size <= size) {
++		    _XRead(dpy, offset, info.name_size);
++		    modes[i].name = offset;
++		    modes[i].name[info.name_size - 1] = '\0';
++		    offset += info.name_size;
++		    size -= info.name_size;
++		} else {
++		    _XEatData(dpy, info.name_size);
++		    modes[i].name = NULL;
++		}
+ 	      }
+ 	      *num = rep.number;
+ 	   } else
+-- 
+1.8.2.3
+

main/libxxf86dga/0004-integer-overflow-underflow-in-XDGASetMode-CVE-2013-1.patch

@@ -0,0 +1,53 @@
+From f89cf306a60facdf102696840bc05acebd7d1772 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:38:25 -0700
+Subject: [PATCH 4/6] integer overflow & underflow in XDGASetMode()
+ [CVE-2013-1991 2/2]
+
+rep.length is a CARD32 and needs to be bounds checked before bit shifting
+and subtracting sz_xXDGAModeInfo to come up with the total size to allocate,
+to avoid integer overflow or underflow leading to underallocation and
+writing data from the network past the end of the allocated buffer.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index b5145ee..90ca918 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -405,12 +405,15 @@ XDGASetMode(
+     if (_XReply(dpy, (xReply *)&rep, 0, xFalse)) {
+ 	if(rep.length) {
+ 	   xXDGAModeInfo info;
+-	   int size;
++	   unsigned long size;
+ 
+-	   size = rep.length << 2;
+-	   size -= sz_xXDGAModeInfo; /* get text size */
++	   if ((rep.length < (INT_MAX >> 2)) &&
++	       (rep.length > (sz_xXDGAModeInfo >> 2))) {
++	       size = rep.length << 2;
++	       size -= sz_xXDGAModeInfo; /* get text size */
+ 
+-	   dev = (XDGADevice*)Xmalloc(sizeof(XDGADevice) + size);
++	       dev = Xmalloc(sizeof(XDGADevice) + size);
++	   }
+ 
+ 	   if(dev) {
+ 		_XRead(dpy, (char*)(&info), sz_xXDGAModeInfo);
+@@ -451,6 +454,8 @@ XDGASetMode(
+ 		    dev->data += rep.offset;
+ 	   }
+ 	   /* not sure what to do if the allocation fails */
++	   else
++	       _XEatDataWords(dpy, rep.length);
+ 	}
+     }
+ 
+-- 
+1.8.2.3
+

main/libxxf86dga/0005-buffer-overflow-in-XDGASetMode-CVE-2013-2000-2-2.patch

@@ -0,0 +1,40 @@
+From b69d6d51a82b1d1e8c68a233360acb742c879375 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:45:41 -0700
+Subject: [PATCH 5/6] buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]
+
+When reading the name strings for the mode off the network, we never
+checked to make sure the length of the name strings didn't overflow
+the size of the buffer we'd allocated based on the reported rep.length
+for the total reply size.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 90ca918..4d13677 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -444,8 +444,14 @@ XDGASetMode(
+ 		dev->mode.reserved1 = info.reserved1;
+ 		dev->mode.reserved2 = info.reserved2;
+ 
+-		dev->mode.name = (char*)(&dev[1]);
+-		_XRead(dpy, dev->mode.name, info.name_size);
++		if (info.name_size > 0 && info.name_size <= size) {
++		    dev->mode.name = (char*)(&dev[1]);
++		    _XRead(dpy, dev->mode.name, info.name_size);
++		    dev->mode.name[info.name_size - 1] = '\0';
++		} else {
++		    dev->mode.name = NULL;
++		    _XEatDataWords(dpy, rep.length);
++		}
+ 
+ 		dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
+ 		dev->data = XDGAGetMappedMemory(screen);
+-- 
+1.8.2.3
+

main/libxxf86dga/0006-integer-overflow-in-XDGAOpenFramebuffer.patch

@@ -0,0 +1,40 @@
+From a8dc6be3213bc91dec5e25535ef4bad5a9456af0 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Sat, 13 Apr 2013 12:53:49 -0700
+Subject: [PATCH 6/6] integer overflow in XDGAOpenFramebuffer()
+
+rep.length is a CARD32 and should be bounds checked before left shifting
+to come up with the size to allocate and read from the network, though
+since both functions take the same size, there should be no way for the
+buffer to be overflowed in this case.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ src/XF86DGA2.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
+index 4d13677..9c656e6 100644
+--- a/src/XF86DGA2.c
++++ b/src/XF86DGA2.c
+@@ -250,9 +250,14 @@ Bool XDGAOpenFramebuffer(
+ 	return False;
+     }
+ 
+-    if(rep.length) {
+-	deviceName = Xmalloc(rep.length << 2);
+-	_XRead(dpy, deviceName, rep.length << 2);
++    if (rep.length) {
++	if (rep.length < (INT_MAX >> 2)) {
++	    unsigned long size = rep.length << 2;
++	    deviceName = Xmalloc(size);
++	    _XRead(dpy, deviceName, size);
++	    deviceName[size - 1] = '\0';
++	} else
++	    _XEatDataWords(dpy, rep.length);
+     }
+ 
+     ret = XDGAMapFramebuffer(screen, deviceName,
+-- 
+1.8.2.3
+

main/libxxf86dga/APKBUILD

@@ -1,26 +1,40 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxxf86dga
 pkgver=1.1.3
-pkgrel=0
+pkgrel=1
 pkgdesc="X11 Direct Graphics Access extension library"
 url="http://xorg.freedesktop.org/"
 arch="all"
 license="custom"
 subpackages="$pkgname-dev $pkgname-doc"
 depends=
-makedepends="pkgconfig xf86dgaproto libxext-dev libx11-dev"
+depends_dev="xf86dgaproto libxext-dev libx11-dev"
+makedepends="$depends_dev libtool autoconf automake util-macros"
 source="http://xorg.freedesktop.org/releases/individual/lib/libXxf86dga-$pkgver.tar.bz2"
 
-depends_dev="xf86dgaproto libxext-dev libx11-dev"
+_builddir="$srcdir"/libXxf86dga-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+	libtoolize --force && aclocal && autoheader && autoconf \
+		&& automake --add-missing
+}
+
 build() {
-	cd "$srcdir"/libXxf86dga-$pkgver
+	cd "$_builddir"
 	./configure --prefix=/usr
 	make || return 1
 }
 
 package() {
-	cd "$srcdir"/libXxf86dga-$pkgver
+	cd "$_builddir"
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la
 }
 md5sums="b7f38465c46e7145782d37dbb9da8c09  libXxf86dga-1.1.3.tar.bz2"
+sha256sums="551fa374dbef0f977de1f35d005fa9ffe92b7a87e82dbe62d6a4640f5b0b4994  libXxf86dga-1.1.3.tar.bz2"
+sha512sums="84129573f7491dff92c7072312bbadac7e7b9698b937e65c7bbf94d9b2e17a5448743e557c92c196738ddaa6d70917300f73c943e0c2507402df7bc31d5dd6d0  libXxf86dga-1.1.3.tar.bz2"