1 files changed, 42 insertions, 0 deletions

diff --git a/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
new file mode 100644
index 000000000..05d491941
--- /dev/null
+++ b/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
@@ -0,0 +1,42 @@
+From c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 21:11:16 -0800
+Subject: [PATCH 19/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092
+ 1/4]
+
+ProcPutImage() calculates a length field from a width, left pad and depth
+specified by the client (if the specified format is XYPixmap).
+
+The calculations for the total amount of memory the server needs for the
+pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
+on 32-bit systems (since the length is stored in a long int variable).
+
+v2: backport to nx-libs 3.6.x (Mike DePaulo)
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+Conflicts:
+	dix/dispatch.c
+---
+ nx-X11/programs/Xserver/dix/dispatch.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
+index 6941456..5ad2f5a 100644
+--- a/nx-X11/programs/Xserver/dix/dispatch.c
++++ b/nx-X11/programs/Xserver/dix/dispatch.c
+@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client)
+ 
+     tmpImage = (char *)&stuff[1];
+     lengthProto = length;
+-	
++    if (lengthProto >= (INT32_MAX / stuff->height))
++        return BadLength;
++
+     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
+ 	(sizeof(xPutImageReq) >> 2)) != client->req_len)
+ 	return BadLength;
+-- 
+2.1.4
+