diff options
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff')
-rw-r--r-- | patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff new file mode 100644 index 000000000..0b3734642 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p1.diff @@ -0,0 +1,42 @@ +From 211e05ac85a294ef361b9f80d689047fa52b9076 Mon Sep 17 00:00:00 2001 +From: Michal Srb <msrb@suse.com> +Date: Fri, 7 Jul 2017 17:21:46 +0200 +Subject: Xi: Test exact size of XIBarrierReleasePointer + +Otherwise a client can send any value of num_barriers and cause reading or swapping of values on heap behind the receive buffer. + +Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index af1562e..d82ecb6 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -830,10 +830,13 @@ SProcXIBarrierReleasePointer(ClientPtr client) + REQUEST(xXIBarrierReleasePointerReq); + int i; + +- info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +- + swaps(&stuff->length); ++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ + swapl(&stuff->num_barriers); ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); ++ ++ info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { + swaps(&info->deviceid); + swapl(&info->barrier); +@@ -853,7 +856,7 @@ ProcXIBarrierReleasePointer(ClientPtr client) + xXIBarrierReleasePointerInfo *info; + + REQUEST(xXIBarrierReleasePointerReq); +- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; + for (i = 0; i < stuff->num_barriers; i++, info++) { +-- +cgit v0.10.2 + + |