1
Description: fix denial of service and possible code execution via
2
incorrect length and bounds checking
3
Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=f3e08e4fbe40016484ba795feecf1a742170ffc1
4
Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=91434737f592e8f5cc1762383882a582b55fc03a
5
Origin: upstream, http://cgit.freedesktop.org/xorg/lib/libXi/commit/?id=5398ac0797f7516f2c9b8f2869a6c6d071437352
7
Index: libxi-1.6.99.1/src/XGetBMap.c
8
===================================================================
9
--- libxi-1.6.99.1.orig/src/XGetBMap.c 2013-05-29 10:17:11.112389290 -0400
10
+++ libxi-1.6.99.1/src/XGetBMap.c 2013-05-29 10:17:11.108389290 -0400
12
#include <X11/extensions/XInput.h>
13
#include <X11/extensions/extutil.h>
17
#ifdef MIN /* some systems define this in <sys/param.h> */
22
unsigned char mapping[256]; /* known fixed size */
24
XExtDisplayInfo *info = XInput_find_display(dpy);
26
register xGetDeviceButtonMappingReq *req;
29
status = _XReply(dpy, (xReply *) & rep, 0, xFalse);
31
- nbytes = (long)rep.length << 2;
32
- _XRead(dpy, (char *)mapping, nbytes);
34
- /* don't return more data than the user asked for. */
36
- memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap));
38
+ if (rep.length <= (sizeof(mapping) >> 2)) {
39
+ unsigned long nbytes = rep.length << 2;
40
+ _XRead(dpy, (char *)mapping, nbytes);
42
+ /* don't return more data than the user asked for. */
44
+ memcpy(map, mapping, MIN((int)rep.nElts, nmap));
47
+ _XEatDataWords(dpy, rep.length);
53
Index: libxi-1.6.99.1/src/XIPassiveGrab.c
54
===================================================================
55
--- libxi-1.6.99.1.orig/src/XIPassiveGrab.c 2013-05-29 10:17:11.112389290 -0400
56
+++ libxi-1.6.99.1/src/XIPassiveGrab.c 2013-05-29 10:17:11.108389290 -0400
59
_XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo));
61
- for (i = 0; i < reply.num_modifiers; i++)
62
+ for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++)
64
modifiers_inout[i].status = failed_mods[i].status;
65
modifiers_inout[i].modifiers = failed_mods[i].modifiers;
66
Index: libxi-1.6.99.1/src/XQueryDv.c
67
===================================================================
68
--- libxi-1.6.99.1.orig/src/XQueryDv.c 2013-05-29 10:17:11.060389291 -0400
69
+++ libxi-1.6.99.1/src/XQueryDv.c 2013-05-29 10:17:29.156389118 -0400
71
#include <X11/extensions/XInput.h>
72
#include <X11/extensions/extutil.h>
86
xQueryDeviceStateReq *req;
87
xQueryDeviceStateReply rep;
88
XDeviceState *state = NULL;
90
if (!_XReply(dpy, (xReply *) & rep, 0, xFalse))
93
- rlen = rep.length << 2;
95
- data = Xmalloc(rlen);
96
+ if (rep.length > 0) {
97
+ if (rep.length < (INT_MAX >> 2)) {
98
+ rlen = (unsigned long) rep.length << 2;
99
+ data = Xmalloc(rlen);
102
_XEatDataWords(dpy, rep.length);
105
_XRead(dpy, data, rlen);
107
for (i = 0, any = (XInputClass *) data; i < (int)rep.num_classes; i++) {
108
+ if (any->length > rlen)
110
+ rlen -= any->length;
112
switch (any->class) {
114
size += sizeof(XKeyState);