xorg: Fix for CVE-2013-6424

Integer underflow in the xTrapezoidValid macro in render/picture.h in X.Org allows context-dependent attackers to cause a denial of service (crash) via a negative bottom value. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-6424 (From OE-Core rev: 059dc5f4ef9bcf49cb6520f5f2ab1e739f4d42de) Signed-off-by: Baogen Shang <baogen.shang@windriver.com> Signed-off-by: Kai Kang <kai.kang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Kai Kang <kai.kang@windriver.com> 2014-04-01 17:09:50 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2014-04-01 23:37:01 +0100
commit: 377ce42a6a50da3e4de4bdd8936ce02b3c8c3d95 (patch)
tree: a03707dc3c85568df1060b34d1ad86887bedcd0c /meta/recipes-graphics/xorg-xserver
parent: 30959dda952b602b75bbd58ef225bbe4558ce440 (diff)
download: poky-377ce42a6a50da3e4de4bdd8936ce02b3c8c3d95.tar.gz
2 files changed, 32 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch
new file mode 100644
index 0000000000..7c6153022f
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch
@@ -0,0 +1,31 @@
+This patch comes from:
+http://lists.x.org/archives/xorg-devel/2013-October/037996.html
+Upstream-Status: Backport
+Signed-off-by: Baogen shang <baogen.shang@windriver.com>
+diff -Naur xorg-server-1.14.0-orig/exa/exa_render.c xorg-server-1.14.0/exa/exa_render.c
+--- xorg-server-1.14.0-orig/exa/exa_render.c    2014-02-27 14:32:38.000000000 +0800
+++ xorg-server-1.14.0/exa/exa_render.c 2014-02-27 15:46:59.000000000 +0800
+@@ -1141,7 +1141,8 @@
+ 
+         exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
+         for (; ntrap; ntrap--, traps++)
+-            (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
+            if (xTrapezoidValid(traps))
+                (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
+         exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
+ 
+         xRel = bounds.x1 + xSrc - xDst;
+diff -Naur xorg-server-1.14.0-orig/render/picture.h xorg-server-1.14.0/render/picture.h
+--- xorg-server-1.14.0-orig/render/picture.h    2014-02-27 14:32:26.000000000 +0800
+++ xorg-server-1.14.0/render/picture.h 2014-02-27 15:48:13.000000000 +0800
+@@ -211,7 +211,7 @@
+ /* whether 't' is a well defined not obviously empty trapezoid */
+ #define xTrapezoidValid(t)  ((t)->left.p1.y != (t)->left.p2.y && \
+                             (t)->right.p1.y != (t)->right.p2.y && \
+-                            (int) ((t)->bottom - (t)->top) > 0)
+                            ((t)->bottom > (t)->top))
+ 
+ /*
+  * Standard NTSC luminance conversions:
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
index a4dda4e7aa..1f9fa04c8d 100644
--- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://crosscompile.patch \
            file://fix_open_max_preprocessor_error.patch \
            file://mips64-compiler.patch \
            file://aarch64.patch \
+            file://xorg-CVE-2013-6424.patch \
           "
 SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9"
author	Kai Kang <kai.kang@windriver.com>	2014-04-01 17:09:50 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2014-04-01 23:37:01 +0100
commit	377ce42a6a50da3e4de4bdd8936ce02b3c8c3d95 (patch)
tree	a03707dc3c85568df1060b34d1ad86887bedcd0c /meta/recipes-graphics/xorg-xserver
parent	30959dda952b602b75bbd58ef225bbe4558ce440 (diff)
download	poky-377ce42a6a50da3e4de4bdd8936ce02b3c8c3d95.tar.gz

diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch new file mode 100644 index 0000000000..7c6153022f --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/xorg-CVE-2013-6424.patch
@@ -0,0 +1,31 @@
		1	This patch comes from:
		2	http://lists.x.org/archives/xorg-devel/2013-October/037996.html
		3
		4	Upstream-Status: Backport
		5
		6	Signed-off-by: Baogen shang <baogen.shang@windriver.com>
		7	diff -Naur xorg-server-1.14.0-orig/exa/exa_render.c xorg-server-1.14.0/exa/exa_render.c
		8	--- xorg-server-1.14.0-orig/exa/exa_render.c 2014-02-27 14:32:38.000000000 +0800
		9	+++ xorg-server-1.14.0/exa/exa_render.c 2014-02-27 15:46:59.000000000 +0800
		10	@@ -1141,7 +1141,8 @@
		11
		12	exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
		13	for (; ntrap; ntrap--, traps++)
		14	- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
		15	+ if (xTrapezoidValid(traps))
		16	+ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
		17	exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
		18
		19	xRel = bounds.x1 + xSrc - xDst;
		20	diff -Naur xorg-server-1.14.0-orig/render/picture.h xorg-server-1.14.0/render/picture.h
		21	--- xorg-server-1.14.0-orig/render/picture.h 2014-02-27 14:32:26.000000000 +0800
		22	+++ xorg-server-1.14.0/render/picture.h 2014-02-27 15:48:13.000000000 +0800
		23	@@ -211,7 +211,7 @@
		24	/* whether 't' is a well defined not obviously empty trapezoid */
		25	#define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \
		26	(t)->right.p1.y != (t)->right.p2.y && \
		27	- (int) ((t)->bottom - (t)->top) > 0)
		28	+ ((t)->bottom > (t)->top))
		29
		30	/*
		31	* Standard NTSC luminance conversions:


diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb index a4dda4e7aa..1f9fa04c8d 100644 --- a/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg_1.15.0.bb
@@ -5,6 +5,7 @@ SRC_URI += "file://crosscompile.patch \
5	file://fix_open_max_preprocessor_error.patch \	5	file://fix_open_max_preprocessor_error.patch \
6	file://mips64-compiler.patch \	6	file://mips64-compiler.patch \
7	file://aarch64.patch \	7	file://aarch64.patch \
		8	file://xorg-CVE-2013-6424.patch \
8	"	9	"
9		10
10	SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9"	11	SRC_URI[md5sum] = "c2ace3697b32414094cf8c597c39d7d9"