diff options
Diffstat (limited to '')
-rw-r--r-- | patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff new file mode 100644 index 000000000..346756033 --- /dev/null +++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12179_p2.diff @@ -0,0 +1,46 @@ +From d088e3c1286b548a58e62afdc70bb40981cdb9e8 Mon Sep 17 00:00:00 2001 +From: Nathan Kidd <nkidd@opentext.com> +Date: Fri, 9 Jan 2015 10:04:41 -0500 +Subject: Xi: integer overflow and unvalidated length in + (S)ProcXIBarrierReleasePointer + +[jcristau: originally this patch fixed the same issue as commit + 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the + addition of these checks] + +This addresses CVE-2017-12179 + +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> +Signed-off-by: Nathan Kidd <nkidd@opentext.com> +Signed-off-by: Julien Cristau <jcristau@debian.org> + +diff --git a/Xi/xibarriers.c b/Xi/xibarriers.c +index d82ecb6..d0be701 100644 +--- a/Xi/xibarriers.c ++++ b/Xi/xibarriers.c +@@ -834,6 +834,8 @@ SProcXIBarrierReleasePointer(ClientPtr client) + REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); + + swapl(&stuff->num_barriers); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; + REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +@@ -856,6 +858,9 @@ ProcXIBarrierReleasePointer(ClientPtr client) + xXIBarrierReleasePointerInfo *info; + + REQUEST(xXIBarrierReleasePointerReq); ++ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); ++ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) ++ return BadLength; + REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); + + info = (xXIBarrierReleasePointerInfo*) &stuff[1]; +-- +cgit v0.10.2 + + |