[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch

From 7e17b41d2907afd82d668f25694e1da12e34895e Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 21:11:16 -0800
Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092
 1/4]

ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).

The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/dispatch.c |    3 +++
 1 file changed, 3 insertions(+)

Index: xorg-server-1.15.1/dix/dispatch.c
===================================================================
--- xorg-server-1.15.1.orig/dix/dispatch.c	2014-12-04 11:52:11.007847226 -0500
+++ xorg-server-1.15.1/dix/dispatch.c	2014-12-04 11:52:10.975847036 -0500
@@ -1957,6 +1957,9 @@
     tmpImage = (char *) &stuff[1];
     lengthProto = length;
 
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if ((bytes_to_int32(lengthProto * stuff->height) +
          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
         return BadLength;
Commit	Line	Data
7217e0ca ML	1	From 7e17b41d2907afd82d668f25694e1da12e34895e Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Wed, 22 Jan 2014 21:11:16 -0800
	4	Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092
	5	1/4]
	6
	7	ProcPutImage() calculates a length field from a width, left pad and depth
	8	specified by the client (if the specified format is XYPixmap).
	9
	10	The calculations for the total amount of memory the server needs for the
	11	pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
	12	on 32-bit systems (since the length is stored in a long int variable).
	13
	14	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	15	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	16	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	17	---
	18	dix/dispatch.c \| 3 +++
	19	1 file changed, 3 insertions(+)
	20
	21	Index: xorg-server-1.15.1/dix/dispatch.c
	22	===================================================================
	23	--- xorg-server-1.15.1.orig/dix/dispatch.c 2014-12-04 11:52:11.007847226 -0500
	24	+++ xorg-server-1.15.1/dix/dispatch.c 2014-12-04 11:52:10.975847036 -0500
	25	@@ -1957,6 +1957,9 @@
	26	tmpImage = (char *) &stuff[1];
	27	lengthProto = length;
	28
	29	+ if (lengthProto >= (INT32_MAX / stuff->height))
	30	+ return BadLength;
	31	+
	32	if ((bytes_to_int32(lengthProto * stuff->height) +
	33	bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
	34	return BadLength;