Fix CVE-2016-7949: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949 Patch copied from upstream source repository: https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4 From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 From: Tobias Stoeckmann Date: Sun, 25 Sep 2016 21:43:09 +0200 Subject: [PATCH] Validate lengths while parsing server data. Individual lengths inside received server data can overflow the previously reserved memory. It is therefore important to validate every single length field to not overflow the previously agreed sum of all invidual length fields. v2: consume remaining bytes in the reply buffer on error. Signed-off-by: Tobias Stoeckmann Reviewed-by: Matthieu Herrb@laas.fr --- src/Xrender.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/Xrender.c b/src/Xrender.c index 3102eb2..71cf3e6 100644 --- a/src/Xrender.c +++ b/src/Xrender.c @@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); screen->subpixel = SubPixelUnknown; xDepth = (xPictDepth *) (xScreen + 1); + if (screen->ndepths > rep.numDepths) { + Xfree (xri); + Xfree (xData); + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numDepths -= screen->ndepths; for (nd = 0; nd < screen->ndepths; nd++) { depth->depth = xDepth->depth; depth->nvisuals = xDepth->nPictVisuals; depth->visuals = visual; xVisual = (xPictVisual *) (xDepth + 1); + if (depth->nvisuals > rep.numVisuals) { + Xfree (xri); + Xfree (xData); + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numVisuals -= depth->nvisuals; for (nv = 0; nv < depth->nvisuals; nv++) { visual->visual = _XRenderFindVisual (dpy, xVisual->visual); -- 2.10.1