mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-31 00:39:46 +00:00
Code Issues Projects Releases Wiki Activity

libxrender: CVE-2016-7949

Browse Source 
Insufficient validation of server responses results
in overflow of previously reserved memory

Upstream patch:
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4

External References:
https://lists.x.org/archives/xorg-announce/2016-October/002720.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949

(From OE-Core rev: 87ffd7ce2e8ece8b44ff3f1c219a74b3590cf14b)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Sona Sarmadi
2017-01-27 08:26:12 +01:00
committed by Richard Purdie
parent 7cf454e23c
commit b45822fe66
2 changed files with 62 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
+59
View File
@@ -0,0 +1,59 @@
From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:43:09 +0200
Subject: Validate lengths while parsing server data.
Individual lengths inside received server data can overflow
the previously reserved memory.
It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.
v2: consume remaining bytes in the reply buffer on error.
CVE: CVE-2016-7949
Upstream-Status: Backport
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb@laas.fr
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
diff --git a/src/Xrender.c b/src/Xrender.c
index 3102eb2..71cf3e6 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
screen->subpixel = SubPixelUnknown;
xDepth = (xPictDepth *) (xScreen + 1);
+ if (screen->ndepths > rep.numDepths) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numDepths -= screen->ndepths;
for (nd = 0; nd < screen->ndepths; nd++)
{
depth->depth = xDepth->depth;
depth->nvisuals = xDepth->nPictVisuals;
depth->visuals = visual;
xVisual = (xPictVisual *) (xDepth + 1);
+ if (depth->nvisuals > rep.numVisuals) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numVisuals -= depth->nvisuals;
for (nv = 0; nv < depth->nvisuals; nv++)
{
visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
--
cgit v0.10.2
meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
+3
View File
@@ -19,5 +19,8 @@ XORG_PN = "libXrender"
BBCLASSEXTEND = "native nativesdk"
SRC_URI += "file://CVE-2016-7949.patch \
"
SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622"
SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a"