diff options
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2017-12179')
-rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2017-12179 | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-12179 b/x11-servers/xorg-server/files/patch-CVE-2017-12179 deleted file mode 100644 index 7787fc117d69..000000000000 --- a/x11-servers/xorg-server/files/patch-CVE-2017-12179 +++ /dev/null @@ -1,52 +0,0 @@ -From c77cd08efcf386bcc5d8dfbd0427134b2b2d0888 Mon Sep 17 00:00:00 2001 -From: Nathan Kidd <nkidd@opentext.com> -Date: Fri, 9 Jan 2015 10:04:41 -0500 -Subject: Xi: integer overflow and unvalidated length in - (S)ProcXIBarrierReleasePointer - -[jcristau: originally this patch fixed the same issue as commit - 211e05ac85 "Xi: Test exact size of XIBarrierReleasePointer", with the - addition of these checks] - -This addresses CVE-2017-12179 - -Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> -Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> -Signed-off-by: Nathan Kidd <nkidd@opentext.com> -Signed-off-by: Julien Cristau <jcristau@debian.org> -(cherry picked from commit d088e3c1286b548a58e62afdc70bb40981cdb9e8) - - ---- Xi/xibarriers.c.orig 2016-07-15 18:17:45.000000000 +0200 -+++ Xi/xibarriers.c 2017-10-13 18:26:09.226006000 +0200 -@@ -830,10 +830,15 @@ - REQUEST(xXIBarrierReleasePointerReq); - int i; - -- info = (xXIBarrierReleasePointerInfo*) &stuff[1]; -- - swaps(&stuff->length); -+ REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); -+ - swapl(&stuff->num_barriers); -+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) -+ return BadLength; -+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); -+ -+ info = (xXIBarrierReleasePointerInfo*) &stuff[1]; - for (i = 0; i < stuff->num_barriers; i++, info++) { - swaps(&info->deviceid); - swapl(&info->barrier); -@@ -854,6 +859,10 @@ - - REQUEST(xXIBarrierReleasePointerReq); - REQUEST_AT_LEAST_SIZE(xXIBarrierReleasePointerReq); -+ if (stuff->num_barriers > UINT32_MAX / sizeof(xXIBarrierReleasePointerInfo)) -+ return BadLength; -+ REQUEST_FIXED_SIZE(xXIBarrierReleasePointerReq, stuff->num_barriers * sizeof(xXIBarrierReleasePointerInfo)); -+ - - info = (xXIBarrierReleasePointerInfo*) &stuff[1]; - for (i = 0; i < stuff->num_barriers; i++, info++) { |