diff options
Diffstat (limited to 'debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch')
| -rw-r--r-- | debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch | 53 |
1 files changed, 0 insertions, 53 deletions
diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch deleted file mode 100644 index 5a83050b3..000000000 --- a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch +++ /dev/null @@ -1,53 +0,0 @@ -From c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Wed, 22 Jan 2014 21:11:16 -0800 -Subject: [PATCH 19/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092 - 1/4] - -ProcPutImage() calculates a length field from a width, left pad and depth -specified by the client (if the specified format is XYPixmap). - -The calculations for the total amount of memory the server needs for the -pixmap can overflow a 32-bit number, causing out-of-bounds memory writes -on 32-bit systems (since the length is stored in a long int variable). - -v2: backport to nx-libs 3.6.x (Mike DePaulo) -v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) -v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> - -Conflicts: - dix/dispatch.c ---- - nx-X11/programs/Xserver/dix/dispatch.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - ---- a/nx-X11/programs/Xserver/dix/dispatch.c -+++ b/nx-X11/programs/Xserver/dix/dispatch.c -@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client) - - tmpImage = (char *)&stuff[1]; - lengthProto = length; -- -+ if (lengthProto >= (INT32_MAX / stuff->height)) -+ return BadLength; -+ - if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + - (sizeof(xPutImageReq) >> 2)) != client->req_len) - return BadLength; ---- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c -+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c -@@ -2630,7 +2630,9 @@ ProcPutImage(client) - - tmpImage = (char *)&stuff[1]; - lengthProto = length; -- -+ if (lengthProto >= (INT32_MAX / stuff->height)) -+ return BadLength; -+ - if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + - (sizeof(xPutImageReq) >> 2)) != client->req_len) - return BadLength; |