debian/patches/CVE-2014-8xxx/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch

   1 From 7e17b41d2907afd82d668f25694e1da12e34895e Mon Sep 17 00:00:00 2001
   2 From: Alan Coopersmith <alan.coopersmith@oracle.com>
   3 Date: Wed, 22 Jan 2014 21:11:16 -0800
   4 Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092
   5  1/4]
   6
   7 ProcPutImage() calculates a length field from a width, left pad and depth
   8 specified by the client (if the specified format is XYPixmap).
   9
  10 The calculations for the total amount of memory the server needs for the
  11 pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
  12 on 32-bit systems (since the length is stored in a long int variable).
  13
  14 Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
  15 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
  16 Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
  17 ---
  18  dix/dispatch.c |    3 +++
  19  1 file changed, 3 insertions(+)
  20
  21 --- a/dix/dispatch.c
  22 +++ b/dix/dispatch.c
  23 @@ -1957,6 +1957,9 @@ ProcPutImage(ClientPtr client)
  24      tmpImage = (char *) &stuff[1];
  25      lengthProto = length;
  26
  27 +    if (lengthProto >= (INT32_MAX / stuff->height))
  28 +        return BadLength;
  29 +
  30      if ((bytes_to_int32(lengthProto * stuff->height) +
  31           bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
  32          return BadLength;