summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>2018-07-30 15:32:36 +0530
committerRichard Purdie <richard.purdie@linuxfoundation.org>2018-08-15 10:22:46 +0100
commit4a59df45f8e10f4fcf33583602d5c622697caf21 (patch)
tree25ebb124ce9fb346d3a578a4bac2093e42f5e9d5
parent3259b70497355a009a2ce8159e4f851278e704a1 (diff)
downloadpoky-4a59df45f8e10f4fcf33583602d5c622697caf21.tar.gz
libxcursor: CVE-2017-16612
affects: <= 1.1.14 CVE-2017-16612: Fix heap overflows when parsing malicious files It is possible to trigger heap overflows due to an integer overflow while parsing images and a signedness issue while parsing comments. The integer overflow occurs because the chosen limit 0x10000 for dimensions is too large for 32 bit systems, because each pixel takes 4 bytes. Properly chosen values allow an overflow which in turn will lead to less allocated memory than needed for subsequent reads. The signedness bug is triggered by reading the length of a comment as unsigned int, but casting it to int when calling the function XcursorCommentCreate. Turning length into a negative value allows the check against XCURSOR_COMMENT_MAX_LEN to pass, and the following addition of sizeof (XcursorComment) + 1 makes it possible to allocate less memory than needed for subsequent reads. (From OE-Core rev: bdf13518e79ab949c4320226a399ee4a3913ee30) Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch75
-rw-r--r--meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb2
2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch b/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch
new file mode 100644
index 0000000000..9a1b12e4f4
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch
@@ -0,0 +1,75 @@
1From 4794b5dd34688158fb51a2943032569d3780c4b8 Mon Sep 17 00:00:00 2001
2From: Tobias Stoeckmann <tobias@stoeckmann.org>
3Date: Sat, 21 Oct 2017 23:47:52 +0200
4Subject: Fix heap overflows when parsing malicious files. (CVE-2017-16612)
5
6It is possible to trigger heap overflows due to an integer overflow
7while parsing images and a signedness issue while parsing comments.
8
9The integer overflow occurs because the chosen limit 0x10000 for
10dimensions is too large for 32 bit systems, because each pixel takes
114 bytes. Properly chosen values allow an overflow which in turn will
12lead to less allocated memory than needed for subsequent reads.
13
14The signedness bug is triggered by reading the length of a comment
15as unsigned int, but casting it to int when calling the function
16XcursorCommentCreate. Turning length into a negative value allows the
17check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
18addition of sizeof (XcursorComment) + 1 makes it possible to allocate
19less memory than needed for subsequent reads.
20
21Upstream-Status: Backport from v1.1.15
22CVE: CVE-2017-16612
23
24Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
25---
26 src/file.c | 12 ++++++++++--
27 1 file changed, 10 insertions(+), 2 deletions(-)
28
29diff --git a/src/file.c b/src/file.c
30index 43163c2..da16277 100644
31--- a/src/file.c
32+++ b/src/file.c
33@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height)
34 {
35 XcursorImage *image;
36
37+ if (width < 0 || height < 0)
38+ return NULL;
39+ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
40+ return NULL;
41+
42 image = malloc (sizeof (XcursorImage) +
43 width * height * sizeof (XcursorPixel));
44 if (!image)
45@@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length)
46 {
47 XcursorComment *comment;
48
49- if (length > XCURSOR_COMMENT_MAX_LEN)
50+ if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
51 return NULL;
52
53 comment = malloc (sizeof (XcursorComment) + length + 1);
54@@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile *file,
55 if (!_XcursorReadUInt (file, &head.delay))
56 return NULL;
57 /* sanity check data */
58- if (head.width >= 0x10000 || head.height > 0x10000)
59+ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
60+ head.height > XCURSOR_IMAGE_MAX_SIZE)
61 return NULL;
62 if (head.width == 0 || head.height == 0)
63 return NULL;
64@@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile *file,
65
66 /* Create the image and initialize it */
67 image = XcursorImageCreate (head.width, head.height);
68+ if (image == NULL)
69+ return NULL;
70 if (chunkHeader.version < image->version)
71 image->version = chunkHeader.version;
72 image->size = chunkHeader.subtype;
73--
74cgit v1.1
75
diff --git a/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb b/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb
index 17629047b7..ccc4347820 100644
--- a/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb
+++ b/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb
@@ -16,6 +16,8 @@ BBCLASSEXTEND = "native nativesdk"
16 16
17PE = "1" 17PE = "1"
18 18
19SRC_URI += "file://CVE-2017-16612.patch"
20
19XORG_PN = "libXcursor" 21XORG_PN = "libXcursor"
20 22
21SRC_URI[md5sum] = "1e7c17afbbce83e2215917047c57d1b3" 23SRC_URI[md5sum] = "1e7c17afbbce83e2215917047c57d1b3"