summaryrefslogtreecommitdiff
path: root/x11-servers/xorg-server/files/patch-CVE-2017-12179
diff options
context:
space:
mode:
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2017-12179')
-rw-r--r--x11-servers/xorg-server/files/patch-CVE-2017-1217952
1 files changed, 0 insertions, 52 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12179 b/x11-servers/xorg-server/files/patch-CVE-2017-12179
deleted file mode 100644
index 7787fc117d69..000000000000
--- a/x11-servers/xorg-server/files/patch-CVE-2017-12179
+++ /dev/null
@@ -1,52 +0,0 @@
-From c77cd08efcf386bcc5d8dfbd0427134b2b2d0888 Mon Sep 17 00:00:00 2001
-From: Nathan Kidd <nkidd@opentext.com>
-Date: Fri, 9 Jan 2015 10:04:41 -0500
-Subject: Xi: integer overflow and unvalidated length in
- (S)ProcXIBarrierReleasePointer
-
-[jcristau: originally this patch fixed the same issue as commit
- 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the
- addition of these checks]
-
-This addresses CVE-2017-12179
-
-Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-Reviewed-by: Julien Cristau <jcristau@debian.org>
-Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
-Signed-off-by: Nathan Kidd <nkidd@opentext.com>
-Signed-off-by: Julien Cristau <jcristau@debian.org>
-(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8)
-
-
---- Xi/xibarriers.c.orig 2016-07-15 18:17:45.000000000 +0200
-+++ Xi/xibarriers.c 2017-10-13 18:26:09.226006000 +0200
-@@ -830,10 +830,15 @@
- REQUEST(xXIBarrierReleasePointerReq);
- int i;
-
-- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
--
- swaps(&stuff->length);
-+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
-+
- swapl(&stuff->num_barriers);
-+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
-+ return BadLength;
-+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
-+
-+ info = (xXIBarrierReleasePointerInfo*) &stuff[1];
- for (i = 0; i < stuff->num_barriers; i++, info++) {
- swaps(&info->deviceid);
- swapl(&info->barrier);
-@@ -854,6 +859,10 @@
-
- REQUEST(xXIBarrierReleasePointerReq);
- REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq);
-+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo))
-+ return BadLength;
-+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo));
-+
-
- info = (xXIBarrierReleasePointerInfo*) &stuff[1];
- for (i = 0; i < stuff->num_barriers; i++, info++) {
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-23 19:49:51 +0000