diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-lib/libx11')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch new file mode 100644 index 0000000000..f5b4d69d4c --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch | |||
@@ -0,0 +1,69 @@ | |||
1 | From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
3 | Date: Sun, 25 Sep 2016 21:25:25 +0200 | ||
4 | Subject: Validation of server responses in XGetImage() | ||
5 | |||
6 | Check if enough bytes were received for specified image type and | ||
7 | geometry. Otherwise GetPixel and other functions could trigger an | ||
8 | out of boundary read later on. | ||
9 | |||
10 | CVE: CVE-2016-7942 | ||
11 | Upstream-Status: Backport | ||
12 | |||
13 | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
14 | Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> | ||
15 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
16 | |||
17 | diff --git a/src/GetImage.c b/src/GetImage.c | ||
18 | index c461abc..ff32d58 100644 | ||
19 | --- a/src/GetImage.c | ||
20 | +++ b/src/GetImage.c | ||
21 | @@ -59,6 +59,7 @@ XImage *XGetImage ( | ||
22 | char *data; | ||
23 | unsigned long nbytes; | ||
24 | XImage *image; | ||
25 | + int planes; | ||
26 | LockDisplay(dpy); | ||
27 | GetReq (GetImage, req); | ||
28 | /* | ||
29 | @@ -91,18 +92,28 @@ XImage *XGetImage ( | ||
30 | return (XImage *) NULL; | ||
31 | } | ||
32 | _XReadPad (dpy, data, nbytes); | ||
33 | - if (format == XYPixmap) | ||
34 | - image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), | ||
35 | - Ones (plane_mask & | ||
36 | - (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), | ||
37 | - format, 0, data, width, height, dpy->bitmap_pad, 0); | ||
38 | - else /* format == ZPixmap */ | ||
39 | - image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), | ||
40 | - rep.depth, ZPixmap, 0, data, width, height, | ||
41 | - _XGetScanlinePad(dpy, (int) rep.depth), 0); | ||
42 | + if (format == XYPixmap) { | ||
43 | + image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), | ||
44 | + Ones (plane_mask & | ||
45 | + (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), | ||
46 | + format, 0, data, width, height, dpy->bitmap_pad, 0); | ||
47 | + planes = image->depth; | ||
48 | + } else { /* format == ZPixmap */ | ||
49 | + image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), | ||
50 | + rep.depth, ZPixmap, 0, data, width, height, | ||
51 | + _XGetScanlinePad(dpy, (int) rep.depth), 0); | ||
52 | + planes = 1; | ||
53 | + } | ||
54 | |||
55 | if (!image) | ||
56 | Xfree(data); | ||
57 | + if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || | ||
58 | + INT_MAX / image->height <= image->bytes_per_line || | ||
59 | + INT_MAX / planes <= image->height * image->bytes_per_line || | ||
60 | + nbytes < planes * image->height * image->bytes_per_line) { | ||
61 | + XDestroyImage(image); | ||
62 | + image = NULL; | ||
63 | + } | ||
64 | UnlockDisplay(dpy); | ||
65 | SyncHandle(); | ||
66 | return (image); | ||
67 | -- | ||
68 | cgit v0.10.2 | ||
69 | |||