diff options
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch')
-rw-r--r-- | meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch new file mode 100644 index 0000000000..54ba481024 --- /dev/null +++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2017-10971-3.patch | |||
@@ -0,0 +1,50 @@ | |||
1 | From ba336b24052122b136486961c82deac76bbde455 Mon Sep 17 00:00:00 2001 | ||
2 | From: Michal Srb <msrb@suse.com> | ||
3 | Date: Wed, 24 May 2017 15:54:42 +0300 | ||
4 | Subject: [PATCH] Xi: Do not try to swap GenericEvent. | ||
5 | |||
6 | The SProcXSendExtensionEvent must not attempt to swap GenericEvent because | ||
7 | it is assuming that the event has fixed size and gives the swapping function | ||
8 | xEvent-sized buffer. | ||
9 | |||
10 | A GenericEvent would be later rejected by ProcXSendExtensionEvent anyway. | ||
11 | |||
12 | Signed-off-by: Michal Srb <msrb@suse.com> | ||
13 | Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
14 | Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net> | ||
15 | |||
16 | CVE: CVE-2017-10971 | ||
17 | |||
18 | Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/xserver/commit/?id=ba336b24052122b136486961c82deac76bbde455] | ||
19 | |||
20 | Signed-off-by: Jackie Huang <jackie.huang@windriver.com> | ||
21 | --- | ||
22 | Xi/sendexev.c | 10 +++++++++- | ||
23 | 1 file changed, 9 insertions(+), 1 deletion(-) | ||
24 | |||
25 | diff --git a/Xi/sendexev.c b/Xi/sendexev.c | ||
26 | index 5e63bfc..5c2e0fc 100644 | ||
27 | --- a/Xi/sendexev.c | ||
28 | +++ b/Xi/sendexev.c | ||
29 | @@ -95,9 +95,17 @@ SProcXSendExtensionEvent(ClientPtr client) | ||
30 | |||
31 | eventP = (xEvent *) &stuff[1]; | ||
32 | for (i = 0; i < stuff->num_events; i++, eventP++) { | ||
33 | + if (eventP->u.u.type == GenericEvent) { | ||
34 | + client->errorValue = eventP->u.u.type; | ||
35 | + return BadValue; | ||
36 | + } | ||
37 | + | ||
38 | proc = EventSwapVector[eventP->u.u.type & 0177]; | ||
39 | - if (proc == NotImplemented) /* no swapping proc; invalid event type? */ | ||
40 | + /* no swapping proc; invalid event type? */ | ||
41 | + if (proc == NotImplemented) { | ||
42 | + client->errorValue = eventP->u.u.type; | ||
43 | return BadValue; | ||
44 | + } | ||
45 | (*proc) (eventP, &eventT); | ||
46 | *eventP = eventT; | ||
47 | } | ||
48 | -- | ||
49 | 1.7.9.5 | ||
50 | |||