libxcursor: Fix CVE-2017-16612

libxcursor in the upstream pyro is 1.1.14 CVE: CVE-2017-16612 Reference: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8 Change-Id: Ia1e81ae237e09ba67dabb0aa9426b763f1e96f8f Signed-off-by: Andreas Wellving <andreas.wellving@enea.com> Signed-off-by: Adrian Mangeac <adrian.mangeac@enea.com>
author: Dan Andresan <Dan.Andresan@enea.com> 2018-10-26 14:15:55 +0200
committer: Dan Andresan <Dan.Andresan@enea.com> 2018-10-26 14:15:55 +0200
commit: 2596922ee809af9fb48a0fc684bb560563de0994 (patch)
tree: 6b390c7354da3a76ee283c23cb56526eafd6acd6
parent: 5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download: meta-el-common-2596922ee809af9fb48a0fc684bb560563de0994.tar.gz
2 files changed, 84 insertions, 0 deletions
diff --git a/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch b/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch
new file mode 100644
index 0000000..9cad31e
--- /dev/null
+++ b/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch
@@ -0,0 +1,78 @@
+From 4794b5dd34688158fb51a2943032569d3780c4b8 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sat, 21 Oct 2017 23:47:52 +0200
+Subject: [PATCH] Fix heap overflows when parsing malicious files.
+ (CVE-2017-16612)
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images and a signedness issue while parsing comments.
+The integer overflow occurs because the chosen limit 0x10000 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+The signedness bug is triggered by reading the length of a comment
+as unsigned int, but casting it to int when calling the function
+XcursorCommentCreate. Turning length into a negative value allows the
+check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
+addition of sizeof (XcursorComment) + 1 makes it possible to allocate
+less memory than needed for subsequent reads.
+CVE: CVE-2017-16612
+Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8]
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ src/file.c | 12 ++++++++++--
+ 1 file changed, 10 insertions(+), 2 deletions(-)
+diff --git a/src/file.c b/src/file.c
+index 43163c2..da16277 100644
+--- a/src/file.c
+++ b/src/file.c
+@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
+    if (width < 0 || height < 0)
+       return NULL;
+    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+       return NULL;
+
+     image = malloc (sizeof (XcursorImage) +
+                    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length)
+ {
+     XcursorComment  *comment;
+ 
+-    if (length > XCURSOR_COMMENT_MAX_LEN)
+    if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
+        return NULL;
+ 
+     comment = malloc (sizeof (XcursorComment) + length + 1);
+@@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile              *file,
+     if (!_XcursorReadUInt (file, &head.delay))
+        return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
+    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
+       head.height > XCURSOR_IMAGE_MAX_SIZE)
+        return NULL;
+     if (head.width == 0 || head.height == 0)
+        return NULL;
+@@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile              *file,
+ 
+     /* Create the image and initialize it */
+     image = XcursorImageCreate (head.width, head.height);
+    if (image == NULL)
+       return NULL;
+     if (chunkHeader.version < image->version)
+        image->version = chunkHeader.version;
+     image->size = chunkHeader.subtype;
+-- 
+2.7.4
diff --git a/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend b/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend
new file mode 100644
index 0000000..0f67cec
--- /dev/null
+++ b/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend
@@ -0,0 +1,6 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += " \
+        file://CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch \
+        "
author	Dan Andresan <Dan.Andresan@enea.com>	2018-10-26 14:15:55 +0200
committer	Dan Andresan <Dan.Andresan@enea.com>	2018-10-26 14:15:55 +0200
commit	2596922ee809af9fb48a0fc684bb560563de0994 (patch)
tree	6b390c7354da3a76ee283c23cb56526eafd6acd6
parent	5b8928cd5f01d83ae27824bb5d411723cabc3108 (diff)
download	meta-el-common-2596922ee809af9fb48a0fc684bb560563de0994.tar.gz

diff --git a/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch b/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch new file mode 100644 index 0000000..9cad31e --- /dev/null +++ b/recipes-graphics/xorg-lib/libxcursor/CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch
@@ -0,0 +1,78 @@
	1	From 4794b5dd34688158fb51a2943032569d3780c4b8 Mon Sep 17 00:00:00 2001
	2	From: Tobias Stoeckmann <tobias@stoeckmann.org>
	3	Date: Sat, 21 Oct 2017 23:47:52 +0200
	4	Subject: [PATCH] Fix heap overflows when parsing malicious files.
	5	(CVE-2017-16612)
	6
	7	It is possible to trigger heap overflows due to an integer overflow
	8	while parsing images and a signedness issue while parsing comments.
	9
	10	The integer overflow occurs because the chosen limit 0x10000 for
	11	dimensions is too large for 32 bit systems, because each pixel takes
	12	4 bytes. Properly chosen values allow an overflow which in turn will
	13	lead to less allocated memory than needed for subsequent reads.
	14
	15	The signedness bug is triggered by reading the length of a comment
	16	as unsigned int, but casting it to int when calling the function
	17	XcursorCommentCreate. Turning length into a negative value allows the
	18	check against XCURSOR_COMMENT_MAX_LEN to pass, and the following
	19	addition of sizeof (XcursorComment) + 1 makes it possible to allocate
	20	less memory than needed for subsequent reads.
	21
	22	CVE: CVE-2017-16612
	23	Upstream-Status: Backport [https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8]
	24
	25	Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
	26	Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
	27	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	28	---
	29	src/file.c \| 12 ++++++++++--
	30	1 file changed, 10 insertions(+), 2 deletions(-)
	31
	32	diff --git a/src/file.c b/src/file.c
	33	index 43163c2..da16277 100644
	34	--- a/src/file.c
	35	+++ b/src/file.c
	36	@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int height)
	37	{
	38	XcursorImage *image;
	39
	40	+ if (width < 0 \|\| height < 0)
	41	+ return NULL;
	42	+ if (width > XCURSOR_IMAGE_MAX_SIZE \|\| height > XCURSOR_IMAGE_MAX_SIZE)
	43	+ return NULL;
	44	+
	45	image = malloc (sizeof (XcursorImage) +
	46	width * height * sizeof (XcursorPixel));
	47	if (!image)
	48	@@ -101,7 +106,7 @@ XcursorCommentCreate (XcursorUInt comment_type, int length)
	49	{
	50	XcursorComment *comment;
	51
	52	- if (length > XCURSOR_COMMENT_MAX_LEN)
	53	+ if (length < 0 \|\| length > XCURSOR_COMMENT_MAX_LEN)
	54	return NULL;
	55
	56	comment = malloc (sizeof (XcursorComment) + length + 1);
	57	@@ -448,7 +453,8 @@ _XcursorReadImage (XcursorFile *file,
	58	if (!_XcursorReadUInt (file, &head.delay))
	59	return NULL;
	60	/* sanity check data */
	61	- if (head.width >= 0x10000 \|\| head.height > 0x10000)
	62	+ if (head.width > XCURSOR_IMAGE_MAX_SIZE \|\|
	63	+ head.height > XCURSOR_IMAGE_MAX_SIZE)
	64	return NULL;
	65	if (head.width == 0 \|\| head.height == 0)
	66	return NULL;
	67	@@ -457,6 +463,8 @@ _XcursorReadImage (XcursorFile *file,
	68
	69	/* Create the image and initialize it */
	70	image = XcursorImageCreate (head.width, head.height);
	71	+ if (image == NULL)
	72	+ return NULL;
	73	if (chunkHeader.version < image->version)
	74	image->version = chunkHeader.version;
	75	image->size = chunkHeader.subtype;
	76	--
	77	2.7.4
	78


diff --git a/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend b/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend new file mode 100644 index 0000000..0f67cec --- /dev/null +++ b/recipes-graphics/xorg-lib/libxcursor_1.1.14.bbappend
@@ -0,0 +1,6 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += " \
	5	file://CVE-2017-16612-Fix-heap-overflows-when-parsing-malicious-files.patch \
	6	"