Imported Debian patch 2:1.15.1-0ubuntu2.6

[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch

diff --git a/debian/patches/CVE-2014-8xxx/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch b/debian/patches/CVE-2014-8xxx/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
new file mode 100644 (file)
index 0000000..085109a
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0002-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch
@@ -0,0 +1,34 @@
+From 7e17b41d2907afd82d668f25694e1da12e34895e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 21:11:16 -0800
+Subject: [PATCH 02/33] dix: integer overflow in ProcPutImage() [CVE-2014-8092
+ 1/4]
+
+ProcPutImage() calculates a length field from a width, left pad and depth
+specified by the client (if the specified format is XYPixmap).
+
+The calculations for the total amount of memory the server needs for the
+pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
+on 32-bit systems (since the length is stored in a long int variable).
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dix/dispatch.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+Index: xorg-server-1.15.1/dix/dispatch.c
+===================================================================
+--- xorg-server-1.15.1.orig/dix/dispatch.c     2014-12-04 11:52:11.007847226 -0500
++++ xorg-server-1.15.1/dix/dispatch.c  2014-12-04 11:52:10.975847036 -0500
+@@ -1957,6 +1957,9 @@
+     tmpImage = (char *) &stuff[1];
+     lengthProto = length;
+ 
++    if (lengthProto >= (INT32_MAX / stuff->height))
++        return BadLength;
++
+     if ((bytes_to_int32(lengthProto * stuff->height) +
+          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
+         return BadLength;