patches/source/xorg-server/patch/xorg-server/xorg-server.CVE-2017-12184_12185_12186_12187.diff


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139

From cad5a1050b7184d828aef9c1dd151c3ab649d37e Mon Sep 17 00:00:00 2001
From: Nathan Kidd <nkidd@opentext.com>
Date: Fri, 9 Jan 2015 09:57:23 -0500
Subject: Unvalidated lengths

v2: Add overflow check and remove unnecessary check (Julien Cristau)

This addresses:
CVE-2017-12184 in XINERAMA
CVE-2017-12185 in MIT-SCREEN-SAVER
CVE-2017-12186 in X-Resource
CVE-2017-12187 in RENDER

Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Nathan Kidd <nkidd@opentext.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>

diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c
index 209df29..844ea49 100644
--- a/Xext/panoramiX.c
+++ b/Xext/panoramiX.c
@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client)
     xPanoramiXGetScreenSizeReply rep;
     int rc;
 
+    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
     if (stuff->screen >= PanoramiXNumScreens)
         return BadMatch;
 
-    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
     rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
     if (rc != Success)
         return rc;
diff --git a/Xext/saver.c b/Xext/saver.c
index 0949761..f6090d8 100644
--- a/Xext/saver.c
+++ b/Xext/saver.c
@@ -1186,6 +1186,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client)
         PanoramiXRes *draw;
         int rc, i;
 
+        REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq);
+
         rc = dixLookupResourceByClass((void **) &draw, stuff->drawable,
                                       XRC_DRAWABLE, client, DixWriteAccess);
         if (rc != Success)
diff --git a/Xext/xres.c b/Xext/xres.c
index 21239f5..0242158 100644
--- a/Xext/xres.c
+++ b/Xext/xres.c
@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client)
     ConstructResourceBytesCtx    ctx;
 
     REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+    if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0]))
+        return BadLength;
     REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
                        stuff->numSpecs * sizeof(ctx.specs[0]));
 
@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client)
     int c;
     xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff));
 
-    swapl(&stuff->numSpecs);
     REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq);
+    swapl(&stuff->numSpecs);
     REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq,
                        stuff->numSpecs * sizeof(specs[0]));
 
diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c
index d99d3d4..5232b37 100644
--- a/Xext/xvdisp.c
+++ b/Xext/xvdisp.c
@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client)
 {
     REQUEST(xvShmPutImageReq);
     PanoramiXRes *draw, *gc, *port;
-    Bool send_event = stuff->send_event;
+    Bool send_event;
     Bool isRoot;
     int result, i, x, y;
 
     REQUEST_SIZE_MATCH(xvShmPutImageReq);
 
+    send_event = stuff->send_event;
+
     result = dixLookupResourceByClass((void **) &draw, stuff->drawable,
                                       XRC_DRAWABLE, client, DixWriteAccess);
     if (result != Success)
diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c
index 1f1022e..63caec9 100644
--- a/hw/dmx/dmxpict.c
+++ b/hw/dmx/dmxpict.c
@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client)
         filter = (char *) (stuff + 1);
         params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3));
         nparams = ((XFixed *) stuff + client->req_len) - params;
+        if (nparams < 0)
+            return BadLength;
 
         XRenderSetPictureFilter(dmxScreen->beDisplay,
                                 pPictPriv->pict, filter, params, nparams);
diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c
index d8b2593..95f6e10 100644
--- a/pseudoramiX/pseudoramiX.c
+++ b/pseudoramiX/pseudoramiX.c
@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client)
 
     TRACE;
 
+    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
+
     if (stuff->screen >= pseudoramiXNumScreens)
       return BadMatch;
 
-    REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq);
     rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess);
     if (rc != Success)
         return rc;
diff --git a/render/render.c b/render/render.c
index ccae49a..7d94bd5 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client)
     name = (char *) (stuff + 1);
     params = (xFixed *) (name + pad_to_int32(stuff->nbytes));
     nparams = ((xFixed *) stuff + client->req_len) - params;
+    if (nparams < 0)
+	return BadLength;
+
     result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams);
     return result;
 }
-- 
cgit v0.10.2