mirror of
https://git.yoctoproject.org/poky
synced 2026-07-16 15:57:04 +00:00
b45822fe66
Insufficient validation of server responses results in overflow of previously reserved memory Upstream patch: https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4 External References: https://lists.x.org/archives/xorg-announce/2016-October/002720.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949 (From OE-Core rev: 87ffd7ce2e8ece8b44ff3f1c219a74b3590cf14b) Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
60 lines
1.8 KiB
Diff
60 lines
1.8 KiB
Diff
From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
|
|
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Date: Sun, 25 Sep 2016 21:43:09 +0200
|
|
Subject: Validate lengths while parsing server data.
|
|
|
|
Individual lengths inside received server data can overflow
|
|
the previously reserved memory.
|
|
|
|
It is therefore important to validate every single length
|
|
field to not overflow the previously agreed sum of all invidual
|
|
length fields.
|
|
|
|
v2: consume remaining bytes in the reply buffer on error.
|
|
|
|
CVE: CVE-2016-7949
|
|
Upstream-Status: Backport
|
|
|
|
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Reviewed-by: Matthieu Herrb@laas.fr
|
|
Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
|
|
|
|
diff --git a/src/Xrender.c b/src/Xrender.c
|
|
index 3102eb2..71cf3e6 100644
|
|
--- a/src/Xrender.c
|
|
+++ b/src/Xrender.c
|
|
@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
|
|
screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
|
|
screen->subpixel = SubPixelUnknown;
|
|
xDepth = (xPictDepth *) (xScreen + 1);
|
|
+ if (screen->ndepths > rep.numDepths) {
|
|
+ Xfree (xri);
|
|
+ Xfree (xData);
|
|
+ _XEatDataWords (dpy, rep.length);
|
|
+ UnlockDisplay (dpy);
|
|
+ SyncHandle ();
|
|
+ return 0;
|
|
+ }
|
|
+ rep.numDepths -= screen->ndepths;
|
|
for (nd = 0; nd < screen->ndepths; nd++)
|
|
{
|
|
depth->depth = xDepth->depth;
|
|
depth->nvisuals = xDepth->nPictVisuals;
|
|
depth->visuals = visual;
|
|
xVisual = (xPictVisual *) (xDepth + 1);
|
|
+ if (depth->nvisuals > rep.numVisuals) {
|
|
+ Xfree (xri);
|
|
+ Xfree (xData);
|
|
+ _XEatDataWords (dpy, rep.length);
|
|
+ UnlockDisplay (dpy);
|
|
+ SyncHandle ();
|
|
+ return 0;
|
|
+ }
|
|
+ rep.numVisuals -= depth->nvisuals;
|
|
for (nv = 0; nv < depth->nvisuals; nv++)
|
|
{
|
|
visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
|
|
--
|
|
cgit v0.10.2
|
|
|