diff options
Diffstat (limited to 'debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch')
-rw-r--r-- | debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch | 75 |
1 files changed, 0 insertions, 75 deletions
diff --git a/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch b/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch deleted file mode 100644 index f9fc99489..000000000 --- a/debian/patches/1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch +++ /dev/null @@ -1,75 +0,0 @@ -From 985ca320f841bd9a3efc484f92436b3d65ec1b31 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Wed, 22 Jan 2014 23:12:04 -0800 -Subject: [PATCH 23/40] dbe: unvalidated lengths in DbeSwapBuffers calls - [CVE-2014-8097] - -ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read -from a buffer. The length is never validated, which can lead to out of -bound reads, and possibly returning the data read from out of bounds to -the misbehaving client via an X Error packet. - -SProcDbeSwapBuffers() swaps data (for correct endianness) before -handing it off to the real proc. While doing the swapping, the -length field is not validated, which can cause memory corruption. - -v2: reorder checks to avoid compilers optimizing out checks for overflow -that happen after we'd already have done the overflowing multiplications. -v3: backport to nx-libs 3.6.x (Mike DePaulo) - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> - -Conflicts: - dbe/dbe.c ---- - nx-X11/programs/Xserver/dbe/dbe.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - ---- a/nx-X11/programs/Xserver/dbe/dbe.c -+++ b/nx-X11/programs/Xserver/dbe/dbe.c -@@ -725,8 +725,8 @@ ProcDbeSwapBuffers(client) - DbeSwapInfoPtr swapInfo; - xDbeSwapInfo *dbeSwapInfo; - int error; -- register int i, j; -- int nStuff; -+ unsigned int i, j; -+ unsigned int nStuff; - - - REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); -@@ -734,11 +734,13 @@ ProcDbeSwapBuffers(client) - - if (nStuff == 0) - { -+ REQUEST_SIZE_MATCH(xDbeSwapBuffersReq); - return(Success); - } - - if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec)) - return BadAlloc; -+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo)); - - /* Get to the swap info appended to the end of the request. */ - dbeSwapInfo = (xDbeSwapInfo *)&stuff[1]; -@@ -1289,7 +1291,7 @@ SProcDbeSwapBuffers(client) - ClientPtr client; - { - REQUEST(xDbeSwapBuffersReq); -- register int i, n; -+ unsigned int i, n; - xDbeSwapInfo *pSwapInfo; - - -@@ -1297,6 +1299,9 @@ SProcDbeSwapBuffers(client) - REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); - - swapl(&stuff->n, n); -+ if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec)) -+ return BadAlloc; -+ REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo)); - - if (stuff->n != 0) - { |