1 files changed, 29 insertions, 0 deletions

diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
new file mode 100644
index 000000000..7b6f28c00
--- /dev/null
+++ b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch
@@ -0,0 +1,29 @@
+commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd
+Author: Keith Packard <keithp@keithp.com>
+Date:   Fri May 1 13:09:24 2015 +0200
+
+    dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418).
+
+     The length checking code validates PutImage height and byte width by
+     making sure that byte-width >= INT32_MAX / height. If height is zero,
+     this generates a divide by zero exception. Allow zero height requests
+     explicitly, bypassing the INT32_MAX check.
+
+     Fix for regression introduced by fix for CVE-2014-8092.
+
+     v2: backports to nx-libs 3.6.x (Mike Gabriel)
+     Signed-off-by: Keith Packard <keithp@keithp.com>
+
+diff --git a/nx-X11/programs/Xserver/dix/dispatch.c b/nx-X11/programs/Xserver/dix/dispatch.c
+index 5ad2f5a..ab10640 100644
+--- a/nx-X11/programs/Xserver/dix/dispatch.c
++++ b/nx-X11/programs/Xserver/dix/dispatch.c
+@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client)
+ 
+     tmpImage = (char *)&stuff[1];
+     lengthProto = length;
+-    if (lengthProto >= (INT32_MAX / stuff->height))
++    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+         return BadLength;
+ 
+     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) +