diff options
Diffstat (limited to 'debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch')
| -rw-r--r-- | debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch new file mode 100644 index 000000000..5b9beb1c1 --- /dev/null +++ b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch @@ -0,0 +1,80 @@ +From 985ca320f841bd9a3efc484f92436b3d65ec1b31 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Wed, 22 Jan 2014 23:12:04 -0800 +Subject: [PATCH 23/40] dbe: unvalidated lengths in DbeSwapBuffers calls + [CVE-2014-8097] + +ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read +from a buffer. The length is never validated, which can lead to out of +bound reads, and possibly returning the data read from out of bounds to +the misbehaving client via an X Error packet. + +SProcDbeSwapBuffers() swaps data (for correct endianness) before +handing it off to the real proc. While doing the swapping, the +length field is not validated, which can cause memory corruption. + +v2: reorder checks to avoid compilers optimizing out checks for overflow +that happen after we'd already have done the overflowing multiplications. +v3: backport to nx-libs 3.6.x (Mike DePaulo) + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> + +Conflicts: + dbe/dbe.c +--- + nx-X11/programs/Xserver/dbe/dbe.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/nx-X11/programs/Xserver/dbe/dbe.c b/nx-X11/programs/Xserver/dbe/dbe.c +index c0d6131..5a1e9b0 100644 +--- a/nx-X11/programs/Xserver/dbe/dbe.c ++++ b/nx-X11/programs/Xserver/dbe/dbe.c +@@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client) + DbeSwapInfoPtr swapInfo; + xDbeSwapInfo *dbeSwapInfo; + int error; +- register int i, j; +- int nStuff; ++ unsigned int i, j; ++ unsigned int nStuff; + + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); +@@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client) + + if (nStuff == 0) + { ++ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); + return(Success); + } + + if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) + return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); + + /* Get to the swap info appended to the end of the request. */ + dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; +@@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client) + ClientPtr client; + { + REQUEST(xDbeSwapBuffersReq); +- register int i, n; ++ unsigned int i, n; + xDbeSwapInfo *pSwapInfo; + + +@@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client) + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + + swapl(&stuff->n, n); ++ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) ++ return BadAlloc; ++ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); + + if (stuff->n != 0) + { +-- +2.1.4 + |