[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0006-dri2-integer-overflow-in-ProcDRI2GetBuffers-CVE-2014.patch

From f07eb544bbcfd9d4c64f036b654f4567f1fd2b9c Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Wed, 22 Jan 2014 23:40:18 -0800
Subject: [PATCH 06/33] dri2: integer overflow in ProcDRI2GetBuffers()
 [CVE-2014-8094]

ProcDRI2GetBuffers() tries to validate a length field (count).
There is an integer overflow in the validation. This can cause
out of bound reads and memory corruption later on.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
---
 hw/xfree86/dri2/dri2ext.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
index ffd66fa..221ec53 100644
--- a/hw/xfree86/dri2/dri2ext.c
+++ b/hw/xfree86/dri2/dri2ext.c
@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
     unsigned int *attachments;
 
     REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
+    if (stuff->count > (INT_MAX / 4))
+        return BadLength;
+
     if (!validDrawable(client, stuff->drawable, DixReadAccess | DixWriteAccess,
                        &pDrawable, &status))
         return status;
-- 
1.7.9.2
Commit	Line	Data
7217e0ca ML	1	From f07eb544bbcfd9d4c64f036b654f4567f1fd2b9c Mon Sep 17 00:00:00 2001
	2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
	3	Date: Wed, 22 Jan 2014 23:40:18 -0800
	4	Subject: [PATCH 06/33] dri2: integer overflow in ProcDRI2GetBuffers()
	5	[CVE-2014-8094]
	6
	7	ProcDRI2GetBuffers() tries to validate a length field (count).
	8	There is an integer overflow in the validation. This can cause
	9	out of bound reads and memory corruption later on.
	10
	11	Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
	12	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
	13	Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
	14	Reviewed-by: Julien Cristau <jcristau@debian.org>
	15	---
	16	hw/xfree86/dri2/dri2ext.c \| 3 +++
	17	1 file changed, 3 insertions(+)
	18
	19	diff --git a/hw/xfree86/dri2/dri2ext.c b/hw/xfree86/dri2/dri2ext.c
	20	index ffd66fa..221ec53 100644
	21	--- a/hw/xfree86/dri2/dri2ext.c
	22	+++ b/hw/xfree86/dri2/dri2ext.c
	23	@@ -270,6 +270,9 @@ ProcDRI2GetBuffers(ClientPtr client)
	24	unsigned int *attachments;
	25
	26	REQUEST_FIXED_SIZE(xDRI2GetBuffersReq, stuff->count * 4);
	27	+ if (stuff->count > (INT_MAX / 4))
	28	+ return BadLength;
	29	+
	30	if (!validDrawable(client, stuff->drawable, DixReadAccess \| DixWriteAccess,
	31	&pDrawable, &status))
	32	return status;
	33	--
	34	1.7.9.2
	35