summaryrefslogtreecommitdiffstats
path: root/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff')
-rw-r--r--patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff139
1 files changed, 139 insertions, 0 deletions
diff --git a/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff
new file mode 100644
index 000000000..d29956864
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff
@@ -0,0 +1,139 @@
+From cad5a1050b7184d828aef9c1dd151c3ab649d37e Mon Sep 17 00:00:00 2001
+From: Nathan Kidd <nkidd@opentext.com>
+Date: Fri, 9 Jan 2015 09:57:23 -0500
+Subject: Unvalidated lengths
+
+v2: Add overflow check and remove unnecessary check (Julien Cristau)
+
+This addresses:
+CVE-2017-12184 in XINERAMA
+CVE-2017-12185 in MIT-SCREEN-SAVER
+CVE-2017-12186 in X-Resource
+CVE-2017-12187 in RENDER
+
+Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Nathan Kidd <nkidd@opentext.com>
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
+index 209df29..844ea49 100644
+--- a/Xext/panoramiX.c
++++ b/Xext/panoramiX.c
+@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
+ xPanoramiXGetScreenSizeReply rep;
+ int rc;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= PanoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/Xext/saver.c b/Xext/saver.c
+index 0949761..f6090d8 100644
+--- a/Xext/saver.c
++++ b/Xext/saver.c
+@@ -1186,6 +1186,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
+ PanoramiXRes *draw;
+ int rc, i;
+
++ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
++
+ rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (rc != Success)
+diff --git a/Xext/xres.c b/Xext/xres.c
+index 21239f5..0242158 100644
+--- a/Xext/xres.c
++++ b/Xext/xres.c
+@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
+ ConstructResourceBytesCtx ctx;
+
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
++ return BadLength;
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(ctx.specs[0]));
+
+@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
+ int c;
+ xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
+
+- swapl(&stuff->numSpecs);
+ REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
++ swapl(&stuff->numSpecs);
+ REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
+ stuff->numSpecs * sizeof(specs[0]));
+
+diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
+index d99d3d4..5232b37 100644
+--- a/Xext/xvdisp.c
++++ b/Xext/xvdisp.c
+@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
+ {
+ REQUEST(xvShmPutImageReq);
+ PanoramiXRes *draw, *gc, *port;
+- Bool send_event = stuff->send_event;
++ Bool send_event;
+ Bool isRoot;
+ int result, i, x, y;
+
+ REQUEST_SIZE_MATCH(xvShmPutImageReq);
+
++ send_event = stuff->send_event;
++
+ result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
+ XRC_DRAWABLE, client, DixWriteAccess);
+ if (result != Success)
+diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
+index 1f1022e..63caec9 100644
+--- a/hw/dmx/dmxpict.c
++++ b/hw/dmx/dmxpict.c
+@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
+ filter = (char *) (stuff + 1);
+ params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
+ nparams = ((XFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
+
+ XRenderSetPictureFilter(dmxScreen->beDisplay,
+ pPictPriv->pict, filter, params, nparams);
+diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c
+index d8b2593..95f6e10 100644
+--- a/pseudoramiX/pseudoramiX.c
++++ b/pseudoramiX/pseudoramiX.c
+@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
+
+ TRACE;
+
++ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
++
+ if (stuff->screen >= pseudoramiXNumScreens)
+ return BadMatch;
+
+- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+ rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
+ if (rc != Success)
+ return rc;
+diff --git a/render/render.c b/render/render.c
+index ccae49a..7d94bd5 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
+ name = (char *) (stuff + 1);
+ params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
+ nparams = ((xFixed *) stuff + client->req_len) - params;
++ if (nparams < 0)
++ return BadLength;
++
+ result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
+ return result;
+ }
+--
+cgit v0.10.2
+
+