2 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch b/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch
new file mode 100644
index 0000000000..9a1b12e4f4
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch
@@ -0,0 +1,75 @@
+From 4794b5dd34688158fb51a2943032569d3780c4b8 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sat, 21 Oct 2017 23:47:52 +0200
+Subject: Fix heap overflows when parsing malicious files. (CVE-2017-16612)
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images and a signedness issue while parsing comments.
+The integer overflow occurs because the chosen limit 0x10000 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+The signedness bug is triggered by reading the length of a comment
+as unsigned int, but casting it to int when calling the function
+XcursorCommentCreate. Turning length into a negative value allows the
+check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
+addition of sizeof (XcursorComment) + 1 makes it possible to allocate
+less memory than needed for subsequent reads.
+Upstream-Status: Backport from v1.1.15
+CVE: CVE-2017-16612
+Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
+---
+ src/file.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/src/file.c b/src/file.c
+index 43163c2..da16277 100644
+--- a/src/file.c
+++ b/src/file.c
+@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
+    if (width < 0 || height < 0)
+       return NULL;
+    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+       return NULL;
+
+     image = malloc (sizeof (XcursorImage) +
+                    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length)
+ {
+     XcursorComment  *comment;
+ 
+-    if (length > XCURSOR_COMMENT_MAX_LEN)
+    if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
+        return NULL;
+ 
+     comment = malloc (sizeof (XcursorComment) + length + 1);
+@@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile              *file,
+     if (!_XcursorReadUInt (file, &head.delay))
+        return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
+    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
+       head.height > XCURSOR_IMAGE_MAX_SIZE)
+        return NULL;
+     if (head.width == 0 || head.height == 0)
+        return NULL;
+@@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile              *file,
+ 
+     /* Create the image and initialize it */
+     image = XcursorImageCreate (head.width, head.height);
+    if (image == NULL)
+       return NULL;
+     if (chunkHeader.version < image->version)
+        image->version = chunkHeader.version;
+     image->size = chunkHeader.subtype;
+-- 
+cgit v1.1
diff --git a/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb b/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb
index 17629047b7..ccc4347820 100644
--- a/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb
+++ b/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb
@@ -16,6 +16,8 @@ BBCLASSEXTEND = "native nativesdk"
 PE = "1"
+SRC_URI += "file://CVE-2017-16612.patch"
 XORG_PN = "libXcursor"
 SRC_URI[md5sum] = "1e7c17afbbce83e2215917047c57d1b3"

diff --git a/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch b/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch new file mode 100644 index 0000000000..9a1b12e4f4 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612.patch
@@ -0,0 +1,75 @@
		1	From 4794b5dd34688158fb51a2943032569d3780c4b8 Mon Sep 17 00:00:00 2001
		2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
		3	Date: Sat, 21 Oct 2017 23:47:52 +0200
		4	Subject: Fix heap overflows when parsing malicious files. (CVE-2017-16612)
		5
		6	It is possible to trigger heap overflows due to an integer overflow
		7	while parsing images and a signedness issue while parsing comments.
		8
		9	The integer overflow occurs because the chosen limit 0x10000 for
		10	dimensions is too large for 32 bit systems, because each pixel takes
		11	4 bytes. Properly chosen values allow an overflow which in turn will
		12	lead to less allocated memory than needed for subsequent reads.
		13
		14	The signedness bug is triggered by reading the length of a comment
		15	as unsigned int, but casting it to int when calling the function
		16	XcursorCommentCreate. Turning length into a negative value allows the
		17	check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
		18	addition of sizeof (XcursorComment) + 1 makes it possible to allocate
		19	less memory than needed for subsequent reads.
		20
		21	Upstream-Status: Backport from v1.1.15
		22	CVE: CVE-2017-16612
		23
		24	Signed-off-by: Jagadeesh Krishnanjanappa <jkrishnanjanappa@mvista.com>
		25	---
		26	src/file.c \| 12 ++++++++++--
		27	1 file changed, 10 insertions(+), 2 deletions(-)
		28
		29	diff --git a/src/file.c b/src/file.c
		30	index 43163c2..da16277 100644
		31	--- a/src/file.c
		32	+++ b/src/file.c
		33	@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height)
		34	{
		35	XcursorImage *image;
		36
		37	+ if (width < 0 \|\| height < 0)
		38	+ return NULL;
		39	+ if (width > XCURSOR_IMAGE_MAX_SIZE \|\| height > XCURSOR_IMAGE_MAX_SIZE)
		40	+ return NULL;
		41	+
		42	image = malloc (sizeof (XcursorImage) +
		43	width * height * sizeof (XcursorPixel));
		44	if (!image)
		45	@@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length)
		46	{
		47	XcursorComment *comment;
		48
		49	- if (length > XCURSOR_COMMENT_MAX_LEN)
		50	+ if (length < 0 \|\| length > XCURSOR_COMMENT_MAX_LEN)
		51	return NULL;
		52
		53	comment = malloc (sizeof (XcursorComment) + length + 1);
		54	@@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile *file,
		55	if (!_XcursorReadUInt (file, &head.delay))
		56	return NULL;
		57	/* sanity check data */
		58	- if (head.width >= 0x10000 \|\| head.height > 0x10000)
		59	+ if (head.width > XCURSOR_IMAGE_MAX_SIZE \|\|
		60	+ head.height > XCURSOR_IMAGE_MAX_SIZE)
		61	return NULL;
		62	if (head.width == 0 \|\| head.height == 0)
		63	return NULL;
		64	@@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile *file,
		65
		66	/* Create the image and initialize it */
		67	image = XcursorImageCreate (head.width, head.height);
		68	+ if (image == NULL)
		69	+ return NULL;
		70	if (chunkHeader.version < image->version)
		71	image->version = chunkHeader.version;
		72	image->size = chunkHeader.subtype;
		73	--
		74	cgit v1.1
		75


diff --git a/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb b/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb index 17629047b7..ccc4347820 100644 --- a/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb +++ b/meta/recipes-graphics/xorg-lib/libxcursor_1.1.14.bb
@@ -16,6 +16,8 @@ BBCLASSEXTEND = "native nativesdk"
16		16
17	PE = "1"	17	PE = "1"
18		18
		19	SRC_URI += "file://CVE-2017-16612.patch"
		20
19	XORG_PN = "libXcursor"	21	XORG_PN = "libXcursor"
20		22
21	SRC_URI[md5sum] = "1e7c17afbbce83e2215917047c57d1b3"	23	SRC_URI[md5sum] = "1e7c17afbbce83e2215917047c57d1b3"