summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch')
-rw-r--r--patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch74
1 files changed, 74 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch b/patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
new file mode 100644
index 000000000..5d018b1c8
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
@@ -0,0 +1,74 @@
+From ffd61dce4f10aba286ede4143c7763fda315fc49 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 23:12:04 -0800
+Subject: [PATCH 07/31] dbe: unvalidated lengths in DbeSwapBuffers calls
+ [CVE-2014-8097]
+
+ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
+from a buffer. The length is never validated, which can lead to out of
+bound reads, and possibly returning the data read from out of bounds to
+the misbehaving client via an X Error packet.
+
+SProcDbeSwapBuffers() swaps data (for correct endianness) before
+handing it off to the real proc. While doing the swapping, the
+length field is not validated, which can cause memory corruption.
+
+v2: reorder checks to avoid compilers optimizing out checks for overflow
+that happen after we'd already have done the overflowing multiplications.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
+---
+ dbe/dbe.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 379feb1..f5a1940 100644
+--- a/dbe/dbe.c
++++ b/dbe/dbe.c
+@@ -454,18 +454,20 @@ ProcDbeSwapBuffers(ClientPtr client)
+ DbeSwapInfoPtr swapInfo;
+ xDbeSwapInfo *dbeSwapInfo;
+ int error;
+- register int i, j;
+- int nStuff;
++ unsigned int i, j;
++ unsigned int nStuff;
+
+ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+ nStuff = stuff->n; /* use local variable for performance. */
+
+ if (nStuff == 0) {
++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
+ return Success;
+ }
+
+ if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+ return BadAlloc;
++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
+
+ /* Get to the swap info appended to the end of the request. */
+ dbeSwapInfo = (xDbeSwapInfo *) & stuff[1];
+@@ -956,13 +958,16 @@ static int
+ SProcDbeSwapBuffers(ClientPtr client)
+ {
+ REQUEST(xDbeSwapBuffersReq);
+- register int i;
++ unsigned int i;
+ xDbeSwapInfo *pSwapInfo;
+
+ swaps(&stuff->length);
+ REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+
+ swapl(&stuff->n);
++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
++ return BadAlloc;
++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+
+ if (stuff->n != 0) {
+ pSwapInfo = (xDbeSwapInfo *) stuff + 1;
+--
+1.9.3
+