repositories / deb_xorg-server.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Imported Debian patch 2:1.15.1-0ubuntu2.6
[deb_xorg-server.git] / debian / patches / CVE-2014-8xxx / 0014-render-check-request-size-before-reading-it-CVE-2014.patch
diff --git a/debian/patches/CVE-2014-8xxx/0014-render-check-request-size-before-reading-it-CVE-2014.patch b/debian/patches/CVE-2014-8xxx/0014-render-check-request-size-before-reading-it-CVE-2014.patch
new file mode 100644 (file)
index 0000000..b712c7b
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0014-render-check-request-size-before-reading-it-CVE-2014.patch
@@ -0,0 +1,36 @@
+From c12a45abf1ae41f5deca298489f5e76ac54f2121 Mon Sep 17 00:00:00 2001
+From: Julien Cristau <jcristau@debian.org>
+Date: Tue, 28 Oct 2014 10:30:04 +0100
+Subject: [PATCH 14/33] render: check request size before reading it
+ [CVE-2014-8100 1/2]
+
+Otherwise we may be reading outside of the client request.
+
+Signed-off-by: Julien Cristau <jcristau@debian.org>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+---
+ render/render.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/render/render.c b/render/render.c
+index e3031da..200e0c8 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -276,11 +276,11 @@ ProcRenderQueryVersion(ClientPtr client)
+     REQUEST(xRenderQueryVersionReq);
++    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
++
+     pRenderClient->major_version = stuff->majorVersion;
+     pRenderClient->minor_version = stuff->minorVersion;
+-    REQUEST_SIZE_MATCH(xRenderQueryVersionReq);
+-
+     if ((stuff->majorVersion * 1000 + stuff->minorVersion) <
+         (SERVER_RENDER_MAJOR_VERSION * 1000 + SERVER_RENDER_MINOR_VERSION)) {
+         rep.majorVersion = stuff->majorVersion;
+-- 
+1.7.9.2
+
xorg-server Piment Noir Debian package repository