diff options
Diffstat (limited to 'debian/patches')
-rw-r--r-- | debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch | 77 | ||||
-rw-r--r-- | debian/patches/series | 1 |
2 files changed, 78 insertions, 0 deletions
diff --git a/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch new file mode 100644 index 000000000..6613d80d2 --- /dev/null +++ b/debian/patches/1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch @@ -0,0 +1,77 @@ +commit ac9fbaabd6bdbca6dd1d94fa385aea41fdebf2c1 +Author: Karl Tomlinson <xmail@karlt.net> +Date: Wed Apr 15 10:16:18 2015 +0200 + + MakeBigReq: don't move the last word, already handled by Data32 (X.Org CVE-2013-7439). + + MakeBigReq inserts a length field after the first 4 bytes of the request + (after req->length), pushing everything else back by 4 bytes. + + The current memmove moves everything but the first 4 bytes back. If a + request aligns to the end of the buffer pointer when MakeBigReq is + invoked for that request, this runs over the buffer. Instead, we need to + memmove minus the first 4 bytes (which aren't moved), minus the last 4 + bytes (so we still align to the previous tail). + + The 4 bytes that fell out are already handled with Data32, which will + handle the buffermax correctly. + + The case where req->length = 1 was already not functional. + + Reported by Abhishek Arya <inferno@chromium.org> (against X.Org BTS). + + https://bugzilla.mozilla.org/show_bug.cgi?id=803762 + + Reviewed-by: Jeff Muizelaar <jmuizelaar@mozilla.com> + Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> + Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> + Rebased-for-NX: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> + +--- a/nx-X11/lib/X11/Xlibint.h ++++ b/nx-X11/lib/X11/Xlibint.h +@@ -561,6 +561,14 @@ extern LockInfoPtr _Xglobal_lock; + dpy->request++ + #endif + ++/* ++ * MakeBigReq sets the CARD16 "req->length" to 0 and inserts a new CARD32 ++ * length, after req->length, before the data in the request. The new length ++ * includes the "n" extra 32-bit words. ++ * ++ * Do not use MakeBigReq if there is no data already in the request. ++ * req->length must already be >= 2. ++ */ + #ifdef WORD64 + #define MakeBigReq(req,n) \ + { \ +@@ -580,7 +588,7 @@ extern LockInfoPtr _Xglobal_lock; + CARD32 _BRlen = req->length - 1; \ + req->length = 0; \ + _BRdat = ((CARD32 *)req)[_BRlen]; \ +- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ ++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ + ((CARD32 *)req)[1] = _BRlen + n + 2; \ + Data32(dpy, &_BRdat, 4); \ + } +@@ -591,13 +599,20 @@ extern LockInfoPtr _Xglobal_lock; + CARD32 _BRlen = req->length - 1; \ + req->length = 0; \ + _BRdat = ((CARD32 *)req)[_BRlen]; \ +- memmove(((char *)req) + 8, ((char *)req) + 4, _BRlen << 2); \ ++ memmove(((char *)req) + 8, ((char *)req) + 4, (_BRlen - 1) << 2); \ + ((CARD32 *)req)[1] = _BRlen + n + 2; \ + Data32(dpy, &_BRdat, 4); \ + } + #endif + #endif + ++/* ++ * SetReqLen increases the count of 32-bit words in the request by "n", ++ * or by "badlen" if "n" is too large. ++ * ++ * Do not use SetReqLen if "req" does not already have data after the ++ * xReq header. req->length must already be >= 2. ++ */ + #define SetReqLen(req,n,badlen) \ + if ((req->length + n) > (unsigned)65535) { \ + if (dpy->bigreq_size) { \ diff --git a/debian/patches/series b/debian/patches/series index f0870d926..2856cbe9b 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -129,5 +129,6 @@ 1102-include-introduce-byte-counting-functions.patch 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch 1104-xkb-Check-strings-length-against-request-size.patch +1200-CVE-2013-7439-MakeBigReq-don-t-move-the-last-wo.full.patch 0016_nx-X11_install-location.debian.patch 0102_xserver-xext_set-securitypolicy-path.debian.patch |