diff options
| author | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2017-12-04 09:01:44 +0300 |
|---|---|---|
| committer | Brad Bishop <bradleyb@fuzziesquirrel.com> | 2017-12-14 20:17:23 +0300 |
| commit | 37a0e4ddff58c0120cc5cfef104b60d0e180638c (patch) | |
| tree | 1628857a2eb33ab517ba93d6a3ca25e55bd3e628 /import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch | |
| parent | 3c4c45d1e9a2324191a8640b22df1b71f15f3037 (diff) | |
| download | openbmc-37a0e4ddff58c0120cc5cfef104b60d0e180638c.tar.xz | |
Squashed 'import-layers/yocto-poky/' changes from dc8508f6099..67491b0c104
Yocto 2.2.2 (Morty)
Change-Id: Id9a452e28940d9f166957de243d9cb1d8818704e
git-subtree-dir: import-layers/yocto-poky
git-subtree-split: 67491b0c104101bb9f366d697edd23c895be4302
Signed-off-by: Brad Bishop <bradleyb@fuzziesquirrel.com>
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch')
| -rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch new file mode 100644 index 000000000..73315b108 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch @@ -0,0 +1,59 @@ +From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Sun, 25 Sep 2016 21:43:09 +0200 +Subject: Validate lengths while parsing server data. + +Individual lengths inside received server data can overflow +the previously reserved memory. + +It is therefore important to validate every single length +field to not overflow the previously agreed sum of all invidual +length fields. + +v2: consume remaining bytes in the reply buffer on error. + +CVE: CVE-2016-7949 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> +Reviewed-by: Matthieu Herrb@laas.fr +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +diff --git a/src/Xrender.c b/src/Xrender.c +index 3102eb2..71cf3e6 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) + screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); + screen->subpixel = SubPixelUnknown; + xDepth = (xPictDepth *) (xScreen + 1); ++ if (screen->ndepths > rep.numDepths) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numDepths -= screen->ndepths; + for (nd = 0; nd < screen->ndepths; nd++) + { + depth->depth = xDepth->depth; + depth->nvisuals = xDepth->nPictVisuals; + depth->visuals = visual; + xVisual = (xPictVisual *) (xDepth + 1); ++ if (depth->nvisuals > rep.numVisuals) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numVisuals -= depth->nvisuals; + for (nv = 0; nv < depth->nvisuals; nv++) + { + visual->visual = _XRenderFindVisual (dpy, xVisual->visual); +-- +cgit v0.10.2 + |