diff options
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch | 59 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 |
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch new file mode 100644 index 0000000000..73315b1084 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch | |||
@@ -0,0 +1,59 @@ | |||
1 | From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 | ||
2 | From: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
3 | Date: Sun, 25 Sep 2016 21:43:09 +0200 | ||
4 | Subject: Validate lengths while parsing server data. | ||
5 | |||
6 | Individual lengths inside received server data can overflow | ||
7 | the previously reserved memory. | ||
8 | |||
9 | It is therefore important to validate every single length | ||
10 | field to not overflow the previously agreed sum of all invidual | ||
11 | length fields. | ||
12 | |||
13 | v2: consume remaining bytes in the reply buffer on error. | ||
14 | |||
15 | CVE: CVE-2016-7949 | ||
16 | Upstream-Status: Backport | ||
17 | |||
18 | Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> | ||
19 | Reviewed-by: Matthieu Herrb@laas.fr | ||
20 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
21 | |||
22 | diff --git a/src/Xrender.c b/src/Xrender.c | ||
23 | index 3102eb2..71cf3e6 100644 | ||
24 | --- a/src/Xrender.c | ||
25 | +++ b/src/Xrender.c | ||
26 | @@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) | ||
27 | screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); | ||
28 | screen->subpixel = SubPixelUnknown; | ||
29 | xDepth = (xPictDepth *) (xScreen + 1); | ||
30 | + if (screen->ndepths > rep.numDepths) { | ||
31 | + Xfree (xri); | ||
32 | + Xfree (xData); | ||
33 | + _XEatDataWords (dpy, rep.length); | ||
34 | + UnlockDisplay (dpy); | ||
35 | + SyncHandle (); | ||
36 | + return 0; | ||
37 | + } | ||
38 | + rep.numDepths -= screen->ndepths; | ||
39 | for (nd = 0; nd < screen->ndepths; nd++) | ||
40 | { | ||
41 | depth->depth = xDepth->depth; | ||
42 | depth->nvisuals = xDepth->nPictVisuals; | ||
43 | depth->visuals = visual; | ||
44 | xVisual = (xPictVisual *) (xDepth + 1); | ||
45 | + if (depth->nvisuals > rep.numVisuals) { | ||
46 | + Xfree (xri); | ||
47 | + Xfree (xData); | ||
48 | + _XEatDataWords (dpy, rep.length); | ||
49 | + UnlockDisplay (dpy); | ||
50 | + SyncHandle (); | ||
51 | + return 0; | ||
52 | + } | ||
53 | + rep.numVisuals -= depth->nvisuals; | ||
54 | for (nv = 0; nv < depth->nvisuals; nv++) | ||
55 | { | ||
56 | visual->visual = _XRenderFindVisual (dpy, xVisual->visual); | ||
57 | -- | ||
58 | cgit v0.10.2 | ||
59 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb index 44cb2e0ebb..eac367906c 100644 --- a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb +++ b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | |||
@@ -19,5 +19,8 @@ XORG_PN = "libXrender" | |||
19 | 19 | ||
20 | BBCLASSEXTEND = "native nativesdk" | 20 | BBCLASSEXTEND = "native nativesdk" |
21 | 21 | ||
22 | SRC_URI += "file://CVE-2016-7949.patch \ | ||
23 | " | ||
24 | |||
22 | SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622" | 25 | SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622" |
23 | SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a" | 26 | SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a" |