X-Git-Url: https://git.piment-noir.org/?a=blobdiff_plain;ds=sidebyside;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch;h=085109a52a9960bb074b33691e5f2e6976bcd670;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hp=0000000000000000000000000000000000000000;hpb=a09e091a5c996d46a398abb27b06fe504591673f;p=deb_xorg-server.git diff --git a/debian/patches/CVE-2014-8xxx/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch b/debian/patches/CVE-2014-8xxx/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch new file mode 100644 index 0000000..085109a --- /dev/null +++ b/debian/patches/CVE-2014-8xxx/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch @@ -0,0 +1,34 @@ +From 7e17b41d2907afd82d668f25694e1da12e34895e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith +Date: Wed, 22 Jan 2014 21:11:16 -0800 +Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092 + 1/4] + +ProcPutImage() calculates a length field from a width, left pad and depth +specified by the client (if the specified format is XYPixmap). + +The calculations for the total amount of memory the server needs for the +pixmap can overflow a 32-bit number, causing out-of-bounds memory writes +on 32-bit systems (since the length is stored in a long int variable). + +Reported-by: Ilja Van Sprundel +Signed-off-by: Alan Coopersmith +Reviewed-by: Peter Hutterer +--- + dix/dispatch.c | 3 +++ + 1 file changed, 3 insertions(+) + +Index: xorg-server-1.15.1/dix/dispatch.c +=================================================================== +--- xorg-server-1.15.1.orig/dix/dispatch.c 2014-12-04 11:52:11.007847226 -0500 ++++ xorg-server-1.15.1/dix/dispatch.c 2014-12-04 11:52:10.975847036 -0500 +@@ -1957,6 +1957,9 @@ + tmpImage = (char *) &stuff[1]; + lengthProto = length; + ++ if (lengthProto >= (INT32_MAX / stuff->height)) ++ return BadLength; ++ + if ((bytes_to_int32(lengthProto * stuff->height) + + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) + return BadLength;