Imported Debian patch 2:1.15.1-0ubuntu2.6

[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch

diff --git a/debian/patches/CVE-2014-8xxx/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch b/debian/patches/CVE-2014-8xxx/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
new file mode 100644 (file)
index 0000000..0167ec0
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0007-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch
@@ -0,0 +1,73 @@
+From 0d50f11aa10fe64c74ab7b3c572cc2f3ff583020 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Wed, 22 Jan 2014 23:12:04 -0800
+Subject: [PATCH 07/33] dbe: unvalidated lengths in DbeSwapBuffers calls
+ [CVE-2014-8097]
+
+ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
+from a buffer. The length is never validated, which can lead to out of
+bound reads, and possibly returning the data read from out of bounds to
+the misbehaving client via an X Error packet.
+
+SProcDbeSwapBuffers() swaps data (for correct endianness) before
+handing it off to the real proc.  While doing the swapping, the
+length field is not validated, which can cause memory corruption.
+
+v2: reorder checks to avoid compilers optimizing out checks for overflow
+that happen after we'd already have done the overflowing multiplications.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+---
+ dbe/dbe.c |   11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index 527588c..df2ad5c 100644
+--- a/dbe/dbe.c
++++ b/dbe/dbe.c
+@@ -450,18 +450,20 @@ ProcDbeSwapBuffers(ClientPtr client)
+     DbeSwapInfoPtr swapInfo;
+     xDbeSwapInfo *dbeSwapInfo;
+     int error;
+-    register int i, j;
+-    int nStuff;
++    unsigned int i, j;
++    unsigned int nStuff;
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+     nStuff = stuff->n;          /* use local variable for performance. */
+ 
+     if (nStuff == 0) {
++        REQUEST_SIZE_MATCH(xDbeSwapBuffersReq);
+         return Success;
+     }
+ 
+     if (nStuff > UINT32_MAX / sizeof(DbeSwapInfoRec))
+         return BadAlloc;
++    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, nStuff * sizeof(xDbeSwapInfo));
+ 
+     /* Get to the swap info appended to the end of the request. */
+     dbeSwapInfo = (xDbeSwapInfo *) &stuff[1];
+@@ -914,13 +916,16 @@ static int
+ SProcDbeSwapBuffers(ClientPtr client)
+ {
+     REQUEST(xDbeSwapBuffersReq);
+-    register int i;
++    unsigned int i;
+     xDbeSwapInfo *pSwapInfo;
+ 
+     swaps(&stuff->length);
+     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+ 
+     swapl(&stuff->n);
++    if (stuff->n > UINT32_MAX / sizeof(DbeSwapInfoRec))
++        return BadAlloc;
++    REQUEST_FIXED_SIZE(xDbeSwapBuffersReq, stuff->n * sizeof(xDbeSwapInfo));
+ 
+     if (stuff->n != 0) {
+         pSwapInfo = (xDbeSwapInfo *) stuff + 1;
+-- 
+1.7.9.2
+