diff options
Diffstat (limited to 'debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch')
| -rw-r--r-- | debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch | 41 |
1 files changed, 0 insertions, 41 deletions
diff --git a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch b/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch deleted file mode 100644 index e0bb00694..000000000 --- a/debian/patches/1210-CVE-2015-3418-dix-Allow-zero-height-PutImage-re.full.patch +++ /dev/null @@ -1,41 +0,0 @@ -commit dba779d9f99ab2fc6bf05c78515dbdd82840cadd -Author: Keith Packard <keithp@keithp.com> -Date: Fri May 1 13:09:24 2015 +0200 - - dix: Allow zero-height PutImage requests (fix for X.Org's CVE-2015-3418). - - The length checking code validates PutImage height and byte width by - making sure that byte-width >= INT32_MAX / height. If height is zero, - this generates a divide by zero exception. Allow zero height requests - explicitly, bypassing the INT32_MAX check. - - Fix for regression introduced by fix for CVE-2014-8092. - - v2: backports to nx-libs 3.6.x (Mike Gabriel) - v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo) - v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan) - - Signed-off-by: Keith Packard <keithp@keithp.com> - ---- a/nx-X11/programs/Xserver/dix/dispatch.c -+++ b/nx-X11/programs/Xserver/dix/dispatch.c -@@ -2071,7 +2071,7 @@ ProcPutImage(register ClientPtr client) - - tmpImage = (char *)&stuff[1]; - lengthProto = length; -- if (lengthProto >= (INT32_MAX / stuff->height)) -+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) - return BadLength; - - if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + ---- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c -+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c -@@ -2630,7 +2630,7 @@ ProcPutImage(client) - - tmpImage = (char *)&stuff[1]; - lengthProto = length; -- if (lengthProto >= (INT32_MAX / stuff->height)) -+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) - return BadLength; - - if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + |