Security fixes: X.Org CVE-2013-7439:

v2: backport to 3.5.0.x branch. (Mihai Moldovan)

Adds:
  - 1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch

1 files changed, 77 insertions, 0 deletions

diff --git a/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
new file mode 100644
index 000000000..6613d80d2
--- /dev/null
+++ b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch
@@ -0,0 +1,77 @@
+commit ac9fbaabd6bdbca6dd1d94fa385aea41fdebf2c1
+Author: Karl Tomlinson <xmail@karlt.net>
+Date:   Wed Apr 15 10:16:18 2015 +0200
+
+    MakeBigReq: don't move the last word, already handled by Data32 (X.Org CVE-2013-7439).
+
+     MakeBigReq inserts a length field after the first 4 bytes of the request
+     (after req->length), pushing everything else back by 4 bytes.
+
+     The current memmove moves everything but the first 4 bytes back. If a
+     request aligns to the end of the buffer pointer when MakeBigReq is
+     invoked for that request, this runs over the buffer. Instead, we need to
+     memmove minus the first 4 bytes (which aren't moved), minus the last 4
+     bytes (so we still align to the previous tail).
+
+     The 4 bytes that fell out are already handled with Data32, which will
+     handle the buffermax correctly.
+
+     The case where req->length = 1 was already not functional.
+
+     Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS).
+
+     https://bugzilla.mozilla.org/show_bug.cgi?id=803762
+
+     Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com>
+     Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+     Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+     Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
+
+--- a/nx-X11/lib/X11/Xlibint.h
++++ b/nx-X11/lib/X11/Xlibint.h
+@@ -561,6 +561,14 @@ extern LockInfoPtr _Xglobal_lock;
+ 	dpy->request++
+ #endif
+ 
++/*
++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32
++ * length, after req->length, before the data in the request. The new length
++ * includes the "n" extra 32-bit words.
++ *
++ * Do not use MakeBigReq if there is no data already in the request.
++ * req->length must already be >= 2.
++ */
+ #ifdef WORD64
+ #define MakeBigReq(req,n) \
+     { \
+@@ -580,7 +588,7 @@ extern LockInfoPtr _Xglobal_lock;
+     CARD32 _BRlen = req->length - 1; \
+     req->length = 0; \
+     _BRdat = ((CARD32 *)req)[_BRlen]; \
+-    memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++    memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+     ((CARD32 *)req)[1] = _BRlen + n + 2; \
+     Data32(dpy, &_BRdat, 4); \
+     }
+@@ -591,13 +599,20 @@ extern LockInfoPtr _Xglobal_lock;
+     CARD32 _BRlen = req->length - 1; \
+     req->length = 0; \
+     _BRdat = ((CARD32 *)req)[_BRlen]; \
+-    memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \
++    memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \
+     ((CARD32 *)req)[1] = _BRlen + n + 2; \
+     Data32(dpy, &_BRdat, 4); \
+     }
+ #endif
+ #endif
+ 
++/*
++ * SetReqLen increases the count of 32-bit words in the request by "n",
++ * or by "badlen" if "n" is too large.
++ *
++ * Do not use SetReqLen if "req" does not already have data after the
++ * xReq header. req->length must already be >= 2.
++ */
+ #define SetReqLen(req,n,badlen) \
+     if ((req->length + n) > (unsigned)65535) { \
+ 	if (dpy->bigreq_size) { \