guix-devel/gnu/packages/patches/virglrenderer-CVE-2017-6386...

Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994).

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994

Patch copied from upstream source repository:

https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920

From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001
From: Dave Airlie <airlied@redhat.com>
Date: Tue, 28 Feb 2017 14:52:09 +1000
Subject: renderer: fix memory leak in vertex elements state create

Reported-by: Li Qiang
Free the vertex array in error path.
This was introduced by this commit:
renderer: fix heap overflow in vertex elements state create.

I rewrote the code to not require the allocation in the first
place if we have an error, seems nicer.

Signed-off-by: Dave Airlie <airlied@redhat.com>

diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
index 1bca7ad..e5d9f5c 100644
--- a/src/vrend_renderer.c
+++ b/src/vrend_renderer.c
@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
                                        unsigned num_elements,
                                        const struct pipe_vertex_element *elements)
 {
-   struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array);
+   struct vrend_vertex_element_array *v;
    const struct util_format_description *desc;
    GLenum type;
    int i;
    uint32_t ret_handle;
 
-   if (!v)
-      return ENOMEM;
-
    if (num_elements > PIPE_MAX_ATTRIBS)
       return EINVAL;
 
+   v = CALLOC_STRUCT(vrend_vertex_element_array);
+   if (!v)
+      return ENOMEM;
+
    v->count = num_elements;
    for (i = 0; i < num_elements; i++) {
       memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
-- 
cgit v0.10.2
gnu: virglrenderer: Fix CVE-2017-6386. * gnu/packages/patches/virglrenderer-CVE-2017-6386.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. * gnu/packages/spice.scm (virglrenderer)[source]: Use it. 2017-03-16 19:13:08 +01:00			`Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994).`

			`https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994`

			`Patch copied from upstream source repository:`

			`https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920`

			`From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001`
			`From: Dave Airlie <airlied@redhat.com>`
			`Date: Tue, 28 Feb 2017 14:52:09 +1000`
			`Subject: renderer: fix memory leak in vertex elements state create`

			`Reported-by: Li Qiang`
			`Free the vertex array in error path.`
			`This was introduced by this commit:`
			`renderer: fix heap overflow in vertex elements state create.`

			`I rewrote the code to not require the allocation in the first`
			`place if we have an error, seems nicer.`

			`Signed-off-by: Dave Airlie <airlied@redhat.com>`

			`diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c`
			`index 1bca7ad..e5d9f5c 100644`
			`--- a/src/vrend_renderer.c`
			`+++ b/src/vrend_renderer.c`
			`@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,`
			`unsigned num_elements,`
			`const struct pipe_vertex_element *elements)`
			`{`
			`- struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array);`
			`+ struct vrend_vertex_element_array *v;`
			`const struct util_format_description *desc;`
			`GLenum type;`
			`int i;`
			`uint32_t ret_handle;`

			`- if (!v)`
			`- return ENOMEM;`
			`-`
			`if (num_elements > PIPE_MAX_ATTRIBS)`
			`return EINVAL;`

			`+ v = CALLOC_STRUCT(vrend_vertex_element_array);`
			`+ if (!v)`
			`+ return ENOMEM;`
			`+`
			`v->count = num_elements;`
			`for (i = 0; i < num_elements; i++) {`
			`memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));`
			`--`
			`cgit v0.10.2`