mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-31 00:39:46 +00:00
Code Issues Projects Releases Wiki Activity

xorg: Fix for CVE-2013-6424

Browse Source 
Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org
allows context-dependent attackers to cause a denial of service (crash) via
a negative bottom value.

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6424

(From OE-Core rev: 059dc5f4ef9bcf49cb6520f5f2ab1e739f4d42de)

Signed-off-by: Baogen Shang <baogen.shang@windriver.com>
Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Kai Kang
2014-04-01 17:09:50 +08:00
committed by Richard Purdie
parent 30959dda95
commit 377ce42a6a
2 changed files with 32 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch
+31
View File
@@ -0,0 +1,31 @@
This patch comes from:
http://lists.x.org/archives/xorg-devel/2013-October/037996.html
Upstream-Status: Backport
Signed-off-by: Baogen shang <baogen.shang@windriver.com>
diff -Naur xorg-server-1.14.0-orig/exa/exa_render.c xorg-server-1.14.0/exa/exa_render.c
--- xorg-server-1.14.0-orig/exa/exa_render.c 2014-02-27 14:32:38.000000000 +0800
+++ xorg-server-1.14.0/exa/exa_render.c 2014-02-27 15:46:59.000000000 +0800
@@ -1141,7 +1141,8 @@
exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
for (; ntrap; ntrap--, traps++)
- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
+ if (xTrapezoidValid(traps))
+ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
xRel = bounds.x1 + xSrc - xDst;
diff -Naur xorg-server-1.14.0-orig/render/picture.h xorg-server-1.14.0/render/picture.h
--- xorg-server-1.14.0-orig/render/picture.h 2014-02-27 14:32:26.000000000 +0800
+++ xorg-server-1.14.0/render/picture.h 2014-02-27 15:48:13.000000000 +0800
@@ -211,7 +211,7 @@
/* whether 't' is a well defined not obviously empty trapezoid */
#define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \
(t)->right.p1.y != (t)->right.p2.y && \
- (int) ((t)->bottom - (t)->top) > 0)
+ ((t)->bottom > (t)->top))
/*
* Standard NTSC luminance conversions:
meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
+1
View File
@@ -5,6 +5,7 @@ SRC_URI += "file://crosscompile.patch \
file://fix_open_max_preprocessor_error.patch \ file://fix_open_max_preprocessor_error.patch \
file://mips64-compiler.patch \ file://mips64-compiler.patch \
file://aarch64.patch \ file://aarch64.patch \
file://xorg-CVE-2013-6424.patch \
" "
SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9" SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9"