diff options
Diffstat (limited to 'x11-servers/xorg-server/files/patch-CVE-2017-1218y')
-rw-r--r-- | x11-servers/xorg-server/files/patch-CVE-2017-1218y | 139 |
1 files changed, 0 insertions, 139 deletions
diff --git a/x11-servers/xorg-server/files/patch-CVE-2017-1218y b/x11-servers/xorg-server/files/patch-CVE-2017-1218y deleted file mode 100644 index fe02768869ca..000000000000 --- a/x11-servers/xorg-server/files/patch-CVE-2017-1218y +++ /dev/null @@ -1,139 +0,0 @@ -From c206f36a4b6ecf2555ab2291c349ab7d7d0b02f5 Mon Sep 17 00:00:00 2001 -From: Nathan Kidd <nkidd@opentext.com> -Date: Fri, 9 Jan 2015 09:57:23 -0500 -Subject: Unvalidated lengths - -v2: Add overflow check and remove unnecessary check (Julien Cristau) - -This addresses: -CVE-2017-12184 in XINERAMA -CVE-2017-12185 in MIT-SCREEN-SAVER -CVE-2017-12186 in X-Resource -CVE-2017-12187 in RENDER - -Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> -Signed-off-by: Nathan Kidd <nkidd@opentext.com> -Signed-off-by: Julien Cristau <jcristau@debian.org> -(cherry picked from commit cad5a1050b7184d828aef9c1dd151c3ab649d37e) - -diff --git a/Xext/panoramiX.c b/Xext/panoramiX.c -index 209df29..844ea49 100644 ---- Xext/panoramiX.c -+++ Xext/panoramiX.c -@@ -988,10 +988,11 @@ ProcPanoramiXGetScreenSize(ClientPtr client) - xPanoramiXGetScreenSizeReply rep; - int rc; - -+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); -+ - if (stuff->screen >= PanoramiXNumScreens) - return BadMatch; - -- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); - rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); - if (rc != Success) - return rc; -diff --git a/Xext/saver.c b/Xext/saver.c -index 750b8b9..45ac4d2 100644 ---- Xext/saver.c -+++ Xext/saver.c -@@ -1185,6 +1185,8 @@ ProcScreenSaverUnsetAttributes(ClientPtr client) - PanoramiXRes *draw; - int rc, i; - -+ REQUEST_SIZE_MATCH(xScreenSaverUnsetAttributesReq); -+ - rc = dixLookupResourceByClass((void **) &draw, stuff->drawable, - XRC_DRAWABLE, client, DixWriteAccess); - if (rc != Success) -diff --git a/Xext/xres.c b/Xext/xres.c -index ae779df..bc54133 100644 ---- Xext/xres.c -+++ Xext/xres.c -@@ -947,6 +947,8 @@ ProcXResQueryResourceBytes (ClientPtr client) - ConstructResourceBytesCtx ctx; - - REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); -+ if (stuff->numSpecs > UINT32_MAX / sizeof(ctx.specs[0])) -+ return BadLength; - REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, - stuff->numSpecs * sizeof(ctx.specs[0])); - -@@ -1052,8 +1054,8 @@ SProcXResQueryResourceBytes (ClientPtr client) - int c; - xXResResourceIdSpec *specs = (void*) ((char*) stuff + sizeof(*stuff)); - -- swapl(&stuff->numSpecs); - REQUEST_AT_LEAST_SIZE(xXResQueryResourceBytesReq); -+ swapl(&stuff->numSpecs); - REQUEST_FIXED_SIZE(xXResQueryResourceBytesReq, - stuff->numSpecs * sizeof(specs[0])); - -diff --git a/Xext/xvdisp.c b/Xext/xvdisp.c -index 8a35b7b..4d412b8 100644 ---- Xext/xvdisp.c -+++ Xext/xvdisp.c -@@ -1493,12 +1493,14 @@ XineramaXvShmPutImage(ClientPtr client) - { - REQUEST(xvShmPutImageReq); - PanoramiXRes *draw, *gc, *port; -- Bool send_event = stuff->send_event; -+ Bool send_event; - Bool isRoot; - int result, i, x, y; - - REQUEST_SIZE_MATCH(xvShmPutImageReq); - -+ send_event = stuff->send_event; -+ - result = dixLookupResourceByClass((void **) &draw, stuff->drawable, - XRC_DRAWABLE, client, DixWriteAccess); - if (result != Success) -diff --git a/hw/dmx/dmxpict.c b/hw/dmx/dmxpict.c -index 1f1022e..63caec9 100644 ---- hw/dmx/dmxpict.c -+++ hw/dmx/dmxpict.c -@@ -716,6 +716,8 @@ dmxProcRenderSetPictureFilter(ClientPtr client) - filter = (char *) (stuff + 1); - params = (XFixed *) (filter + ((stuff->nbytes + 3) & ~3)); - nparams = ((XFixed *) stuff + client->req_len) - params; -+ if (nparams < 0) -+ return BadLength; - - XRenderSetPictureFilter(dmxScreen->beDisplay, - pPictPriv->pict, filter, params, nparams); -diff --git a/pseudoramiX/pseudoramiX.c b/pseudoramiX/pseudoramiX.c -index d8b2593..95f6e10 100644 ---- pseudoramiX/pseudoramiX.c -+++ pseudoramiX/pseudoramiX.c -@@ -297,10 +297,11 @@ ProcPseudoramiXGetScreenSize(ClientPtr client) - - TRACE; - -+ REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); -+ - if (stuff->screen >= pseudoramiXNumScreens) - return BadMatch; - -- REQUEST_SIZE_MATCH(xPanoramiXGetScreenSizeReq); - rc = dixLookupWindow(&pWin, stuff->window, client, DixGetAttrAccess); - if (rc != Success) - return rc; -diff --git a/render/render.c b/render/render.c -index bfacaa0..3a41e33 100644 ---- render/render.c -+++ render/render.c -@@ -1757,6 +1757,9 @@ ProcRenderSetPictureFilter(ClientPtr client) - name = (char *) (stuff + 1); - params = (xFixed *) (name + pad_to_int32(stuff->nbytes)); - nparams = ((xFixed *) stuff + client->req_len) - params; -+ if (nparams < 0) -+ return BadLength; -+ - result = SetPictureFilter(pPicture, name, stuff->nbytes, params, nparams); - return result; - } --- -cgit v0.10.2 - |