diff options
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2')
-rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 b/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 new file mode 100644 index 000000000000..70b898717ba1 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-CVE-2014-8097-pt2 @@ -0,0 +1,50 @@ +From b20912c3d45cbbde3c443e6c3d9e189092fe65e1 Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Tue, 9 Dec 2014 09:30:57 -0800 +Subject: [PATCH 36/40] dbe: Call to DDX SwapBuffers requires address of int, + not unsigned int [CVE-2014-8097 pt. 2] + +When the local types used to walk the DBE request were changed, this +changed the type of the parameter passed to the DDX SwapBuffers API, +but there wasn't a matching change in the API definition. + +At this point, with the API frozen, I just stuck a new variable in +with the correct type. Because we've already bounds-checked nStuff to +be smaller than UINT32_MAX / sizeof(DbeSwapInfoRec), we know it will +fit in a signed int without overflow. + +Signed-off-by: Keith Packard <keithp@keithp.com +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +--- + dbe/dbe.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/dbe/dbe.c b/dbe/dbe.c +index df2ad5c..e5d928d 100644 +--- dbe/dbe.c ++++ dbe/dbe.c +@@ -452,6 +452,7 @@ ProcDbeSwapBuffers(ClientPtr client) + int error; + unsigned int i, j; + unsigned int nStuff; ++ int nStuff_i; /* DDX API requires int for nStuff */ + + REQUEST_AT_LEAST_SIZE(xDbeSwapBuffersReq); + nStuff = stuff->n; /* use local variable for performance. */ +@@ -527,9 +528,10 @@ ProcDbeSwapBuffers(ClientPtr client) + * could deal with cross-screen synchronization. + */ + +- while (nStuff > 0) { ++ nStuff_i = nStuff; ++ while (nStuff_i > 0) { + pDbeScreenPriv = DBE_SCREEN_PRIV_FROM_WINDOW(swapInfo[0].pWindow); +- error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff, swapInfo); ++ error = (*pDbeScreenPriv->SwapBuffers) (client, &nStuff_i, swapInfo); + if (error != Success) { + free(swapInfo); + return error; +-- +2.1.2 + |