mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-06-02 13:29:49 +00:00
Code Issues Projects Releases Wiki Activity

libX11: CVE-2016-7942

Browse Source 
The XGetImage function in X.org libX11 before 1.6.4 might allow remote X
servers to gain privileges via vectors involving image type and geometry,
which triggers out-of-bounds read operations.

References
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7942
Upstream patch
https://cgit.freedesktop.org/xorg/lib/libX11/commit/?id=8ea762f94f4c942d898fdeb590a1630c83235c17

(From OE-Core rev: 6d4421301a54c26e390fa943805574ced6e18c3a)

Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Sona Sarmadi
2017-01-30 12:46:22 +01:00
committed by Richard Purdie
parent 4f991d93f6
commit eed433faba
2 changed files with 70 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
+69
View File
@@ -0,0 +1,69 @@
From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:25:25 +0200
Subject: Validation of server responses in XGetImage()
Check if enough bytes were received for specified image type and
geometry. Otherwise GetPixel and other functions could trigger an
out of boundary read later on.
CVE: CVE-2016-7942
Upstream-Status: Backport
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
diff --git a/src/GetImage.c b/src/GetImage.c
index c461abc..ff32d58 100644
--- a/src/GetImage.c
+++ b/src/GetImage.c
@@ -59,6 +59,7 @@ XImage *XGetImage (
char *data;
unsigned long nbytes;
XImage *image;
+ int planes;
LockDisplay(dpy);
GetReq (GetImage, req);
/*
@@ -91,18 +92,28 @@ XImage *XGetImage (
return (XImage *) NULL;
}
_XReadPad (dpy, data, nbytes);
- if (format == XYPixmap)
- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
- Ones (plane_mask &
- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
- format, 0, data, width, height, dpy->bitmap_pad, 0);
- else /* format == ZPixmap */
- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
- rep.depth, ZPixmap, 0, data, width, height,
- _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ if (format == XYPixmap) {
+ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+ Ones (plane_mask &
+ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+ format, 0, data, width, height, dpy->bitmap_pad, 0);
+ planes = image->depth;
+ } else { /* format == ZPixmap */
+ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+ rep.depth, ZPixmap, 0, data, width, height,
+ _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ planes = 1;
+ }
if (!image)
Xfree(data);
+ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
+ INT_MAX / image->height <= image->bytes_per_line ||
+ INT_MAX / planes <= image->height * image->bytes_per_line ||
+ nbytes < planes * image->height * image->bytes_per_line) {
+ XDestroyImage(image);
+ image = NULL;
+ }
UnlockDisplay(dpy);
SyncHandle();
return (image);
--
cgit v0.10.2
meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
+1
View File
@@ -5,6 +5,7 @@ BBCLASSEXTEND = "native nativesdk"
SRC_URI += "file://disable_tests.patch \ SRC_URI += "file://disable_tests.patch \
file://libX11-Add-missing-NULL-check.patch \ file://libX11-Add-missing-NULL-check.patch \
file://CVE-2016-7942.patch \
" "
SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"