diff options
Diffstat (limited to 'debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch')
-rw-r--r-- | debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch new file mode 100644 index 000000000..8cb1d0d7b --- /dev/null +++ b/debian/patches/1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch @@ -0,0 +1,74 @@ +From 72790a55862f9a2232ba0cd7b072bbe3887cd820 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo <mikedep333@gmail.com> +Date: Sun, 8 Feb 2015 20:01:27 -0500 +Subject: [PATCH 03/40] Avoid use-after-free in dix/dixfonts.c: doImageText() + [CVE-2013-4396] from xorg/Xserver + http://lists.x.org/archives/xorg-announce/2013-October/002332.html + +Save a pointer to the passed in closure structure before copying it +and overwriting the *c pointer to point to our copy instead of the +original. If we hit an error, once we free(c), reset c to point to +the original structure before jumping to the cleanup code that +references *c. + +Since one of the errors being checked for is whether the server was +able to malloc(c->nChars * itemSize), the client can potentially pass +a number of characters chosen to cause the malloc to fail and the +error path to be taken, resulting in the read from freed memory. + +Since the memory is accessed almost immediately afterwards, and the +X server is mostly single threaded, the odds of the free memory having +invalid contents are low with most malloc implementations when not using +memory debugging features, but some allocators will definitely overwrite +the memory there, leading to a likely crash. +--- + nx-X11/programs/Xserver/dix/dixfonts.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/nx-X11/programs/Xserver/dix/dixfonts.c b/nx-X11/programs/Xserver/dix/dixfonts.c +index 193f555..42fd647 100644 +--- a/nx-X11/programs/Xserver/dix/dixfonts.c ++++ b/nx-X11/programs/Xserver/dix/dixfonts.c +@@ -1559,6 +1559,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + GC *pGC; + unsigned char *data; + ITclosurePtr new_closure; ++ ITclosurePtr old_closure; + + /* We're putting the client to sleep. We need to + save some state. Similar problem to that handled +@@ -1571,6 +1572,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + err = BadAlloc; + goto bail; + } ++ old_closure = c; + *new_closure = *c; + c = new_closure; + +@@ -1578,6 +1580,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + if (!data) + { + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1589,6 +1592,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + { + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +@@ -1602,6 +1606,7 @@ doImageText(ClientPtr client, register ITclosurePtr c) + FreeScratchGC(pGC); + xfree(c->data); + xfree(c); ++ c = old_closure; + err = BadAlloc; + goto bail; + } +-- +2.1.4 + |