From 8ff4f2f51a6cf07fc33742ce3bee81328896e49b Mon Sep 17 00:00:00 2001
From: Patrick J Volkerding <volkerdi@slackware.com>
Date: Fri, 25 May 2018 23:29:36 +0000
Subject: Fri May 25 23:29:36 UTC 2018

patches/packages/glibc-zoneinfo-2018e-noarch-2_slack14.1.txz:  Rebuilt.
  Handle removal of US/Pacific-New timezone. If we see that the machine is
  using this, it will be automatically switched to US/Pacific.
---
 ...-overflow-in-RegionSizeof-CVE-2014-8092-3.patch | 129 +++++++++++++++++++++
 1 file changed, 129 insertions(+)
 create mode 100644 patches/source/xorg-server/patch/xorg-server/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch

(limited to 'patches/source/xorg-server/patch/xorg-server/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch')

diff --git a/patches/source/xorg-server/patch/xorg-server/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch b/patches/source/xorg-server/patch/xorg-server/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
new file mode 100644
index 000000000..8023f93eb
--- /dev/null
+++ b/patches/source/xorg-server/patch/xorg-server/0004-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch
@@ -0,0 +1,129 @@
+From 8f82f69e9e4b76b01b9f5fe06d1ea86851d951c4 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 22:37:15 -0800
+Subject: [PATCH 04/31] dix: integer overflow in RegionSizeof() [CVE-2014-8092
+ 3/4]
+
+RegionSizeof contains several integer overflows if a large length
+value is passed in.  Once we fix it to return 0 on overflow, we
+also have to fix the callers to handle this error condition
+
+v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
+---
+ dix/region.c        | 20 +++++++++++++-------
+ include/regionstr.h | 10 +++++++---
+ 2 files changed, 20 insertions(+), 10 deletions(-)
+
+diff --git a/dix/region.c b/dix/region.c
+index 737d2a8..76c4e29 100644
+--- a/dix/region.c
++++ b/dix/region.c
+@@ -169,7 +169,6 @@ Equipment Corporation.
+         ((r1)->y1 <= (r2)->y1) && \
+         ((r1)->y2 >= (r2)->y2) )
+ 
+-#define xallocData(n) malloc(RegionSizeof(n))
+ #define xfreeData(reg) if ((reg)->data && (reg)->data->size) free((reg)->data)
+ 
+ #define RECTALLOC_BAIL(pReg,n,bail) \
+@@ -205,8 +204,9 @@ if (!(pReg)->data || (((pReg)->data->numRects + (n)) > (pReg)->data->size)) \
+ #define DOWNSIZE(reg,numRects)						 \
+ if (((numRects) < ((reg)->data->size >> 1)) && ((reg)->data->size > 50)) \
+ {									 \
+-    RegDataPtr NewData;							 \
+-    NewData = (RegDataPtr)realloc((reg)->data, RegionSizeof(numRects));	 \
++    size_t NewSize = RegionSizeof(numRects);				 \
++    RegDataPtr NewData =						 \
++        (NewSize > 0) ? realloc((reg)->data, NewSize) : NULL ;		 \
+     if (NewData)							 \
+     {									 \
+ 	NewData->size = (numRects);					 \
+@@ -330,17 +330,20 @@ Bool
+ RegionRectAlloc(RegionPtr pRgn, int n)
+ {
+     RegDataPtr data;
++    size_t rgnSize;
+ 
+     if (!pRgn->data) {
+         n++;
+-        pRgn->data = xallocData(n);
++        rgnSize = RegionSizeof(n);
++        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+         if (!pRgn->data)
+             return RegionBreak(pRgn);
+         pRgn->data->numRects = 1;
+         *RegionBoxptr(pRgn) = pRgn->extents;
+     }
+     else if (!pRgn->data->size) {
+-        pRgn->data = xallocData(n);
++        rgnSize = RegionSizeof(n);
++        pRgn->data = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+         if (!pRgn->data)
+             return RegionBreak(pRgn);
+         pRgn->data->numRects = 0;
+@@ -352,7 +355,8 @@ RegionRectAlloc(RegionPtr pRgn, int n)
+                 n = 250;
+         }
+         n += pRgn->data->numRects;
+-        data = (RegDataPtr) realloc(pRgn->data, RegionSizeof(n));
++        rgnSize = RegionSizeof(n);
++        data = (rgnSize > 0) ? realloc(pRgn->data, rgnSize) : NULL;
+         if (!data)
+             return RegionBreak(pRgn);
+         pRgn->data = data;
+@@ -1297,6 +1301,7 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
+ {
+ 
+     RegionPtr pRgn;
++    size_t rgnSize;
+     RegDataPtr pData;
+     BoxPtr pBox;
+     int i;
+@@ -1323,7 +1328,8 @@ RegionFromRects(int nrects, xRectangle *prect, int ctype)
+         }
+         return pRgn;
+     }
+-    pData = xallocData(nrects);
++    rgnSize = RegionSizeof(nrects);
++    pData = (rgnSize > 0) ? malloc(rgnSize) : NULL;
+     if (!pData) {
+         RegionBreak(pRgn);
+         return pRgn;
+diff --git a/include/regionstr.h b/include/regionstr.h
+index 805257b..5006207 100644
+--- a/include/regionstr.h
++++ b/include/regionstr.h
+@@ -127,7 +127,10 @@ RegionEnd(RegionPtr reg)
+ static inline size_t
+ RegionSizeof(int n)
+ {
+-    return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
++    if (n < ((INT_MAX - sizeof(RegDataRec)) / sizeof(BoxRec)))
++        return (sizeof(RegDataRec) + ((n) * sizeof(BoxRec)));
++    else
++        return 0;
+ }
+ 
+ static inline void
+@@ -138,9 +141,10 @@ RegionInit(RegionPtr _pReg, BoxPtr _rect, int _size)
+         (_pReg)->data = (RegDataPtr) NULL;
+     }
+     else {
++        size_t rgnSize;
+         (_pReg)->extents = RegionEmptyBox;
+-        if (((_size) > 1) && ((_pReg)->data =
+-                              (RegDataPtr) malloc(RegionSizeof(_size)))) {
++        if (((_size) > 1) && ((rgnSize = RegionSizeof(_size)) > 0) &&
++            (((_pReg)->data = malloc(rgnSize)) != NULL)) {
+             (_pReg)->data->size = (_size);
+             (_pReg)->data->numRects = 0;
+         }
+-- 
+1.9.3
+
-- 
cgit v1.2.3