aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
blob: 6d48ceed169b6b5559180338e3382b77f5bca87f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
From c1225fe6451d7a5f3741ce0fff8f54e38e0a14da Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 21:11:16 -0800
Subject: [PATCH 19/40] dix: integer overflow in ProcPutImage() [CVE-2014-8092
 1/4]

ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).

The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).

v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: port to NXdispatch.c rather than dispatch.c (Mike DePaulo)
v4: backport v3 to nx-libs 3.5.0.x (Mihai Moldovan)

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>

Conflicts:
	dix/dispatch.c
---
 nx-X11/programs/Xserver/dix/dispatch.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/nx-X11/programs/Xserver/dix/dispatch.c
+++ b/nx-X11/programs/Xserver/dix/dispatch.c
@@ -2071,7 +2071,9 @@ ProcPutImage(register ClientPtr client)
 
     tmpImage = (char *)&stuff[1];
     lengthProto = length;
-	
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
 	(sizeof(xPutImageReq) >> 2)) != client->req_len)
 	return BadLength;
--- a/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
+++ b/nx-X11/programs/Xserver/hw/nxagent/NXdispatch.c
@@ -2630,7 +2630,9 @@ ProcPutImage(register ClientPtr client)
 
     tmpImage = (char *)&stuff[1];
     lengthProto = length;
-	
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if (((((lengthProto * stuff->height) + (unsigned)3) >> 2) + 
 	(sizeof(xPutImageReq) >> 2)) != client->req_len)
 	return BadLength;