X-Git-Url: https://git.piment-noir.org/?p=deb_xorg-server.git;a=blobdiff_plain;f=debian%2Fpatches%2FCVE-2014-8xxx%2F0034-CVE-2014-8097-additional.patch;fp=debian%2Fpatches%2FCVE-2014-8xxx%2F0034-CVE-2014-8097-additional.patch;h=11ea00e4b281c9e6557a18fee9a114c73f3f3b49;hp=0000000000000000000000000000000000000000;hb=7217e0ca50bba73dad94782e67980aeeb24ab693;hpb=a09e091a5c996d46a398abb27b06fe504591673f

diff --git a/debian/patches/CVE-2014-8xxx/0034-CVE-2014-8097-additional.patch b/debian/patches/CVE-2014-8xxx/0034-CVE-2014-8097-additional.patch
new file mode 100644
index 0000000..11ea00e
--- /dev/null
+++ b/debian/patches/CVE-2014-8xxx/0034-CVE-2014-8097-additional.patch
@@ -0,0 +1,47 @@
+From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Tue, 9 Dec 2014 09:30:57 -0800
+Subject: dbe: Call to DDX SwapBuffers requires address of int, not unsigned
+ int [CVE-2014-8097 pt. 2]
+
+When the local types used to walk the DBE request were changed, this
+changed the type of the parameter passed to the DDX SwapBuffers API,
+but there wasn't a matching change in the API definition.
+
+At this point, with the API frozen, I just stuck a new variable in
+with the correct type. Because we've already bounds-checked nStuff to
+be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will
+fit in a signed int without overflow.
+
+Signed-off-by: Keith Packard <keithp@keithp.com
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+diff --git a/dbe/dbe.c b/dbe/dbe.c
+index df2ad5c..e5d928d 100644
+--- a/dbe/dbe.c
++++ b/dbe/dbe.c
+@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client)
+     int error;
+     unsigned int i, j;
+     unsigned int nStuff;
++    int nStuff_i;       /* DDX API requires int for nStuff */
+ 
+     REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq);
+     nStuff = stuff->n;          /* use local variable for performance. */
+@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client)
+      * could deal with cross-screen synchronization.
+      */
+ 
+-    while (nStuff > 0) {
++    nStuff_i = nStuff;
++    while (nStuff_i > 0) {
+         pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow);
+-        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo);
++        error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo);
+         if (error != Success) {
+             free(swapInfo);
+             return error;
+-- 
+cgit v0.10.2
+