74 lines
2.1 KiB
Diff
74 lines
2.1 KiB
Diff
Fix CVE-2016-7950:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
|
|
|
|
From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
|
|
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Date: Sun, 25 Sep 2016 21:42:09 +0200
|
|
Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
|
|
|
|
The memory for filter names is reserved right after receiving the reply.
|
|
After that, filters are iterated and each individual filter name is
|
|
stored in that reserved memory.
|
|
|
|
The individual name lengths are not checked for validity, which means
|
|
that a malicious server can reserve less memory than it will write to
|
|
during each iteration.
|
|
|
|
v2: consume remaining bytes in reply buffer on error.
|
|
|
|
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
|
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
---
|
|
src/Filter.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/src/Filter.c b/src/Filter.c
|
|
index edfa572..8d701eb 100644
|
|
--- a/src/Filter.c
|
|
+++ b/src/Filter.c
|
|
@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
|
|
char *name;
|
|
char len;
|
|
int i;
|
|
- unsigned long nbytes, nbytesAlias, nbytesName;
|
|
+ unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
|
|
|
|
if (!RenderHasExtension (info))
|
|
return NULL;
|
|
@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
|
|
* Read the filter aliases
|
|
*/
|
|
_XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
|
|
+ reply_left = 8 + rep.length - 2 * rep.numAliases;;
|
|
|
|
/*
|
|
* Read the filter names
|
|
@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
|
|
{
|
|
int l;
|
|
_XRead (dpy, &len, 1);
|
|
+ reply_left--;
|
|
l = len & 0xff;
|
|
+ if ((unsigned long)l + 1 > nbytesName) {
|
|
+ _XEatDataWords(dpy, reply_left);
|
|
+ Xfree(filters);
|
|
+ UnlockDisplay (dpy);
|
|
+ SyncHandle ();
|
|
+ return NULL;
|
|
+ }
|
|
+ nbytesName -= l + 1;
|
|
filters->filter[i] = name;
|
|
_XRead (dpy, name, l);
|
|
+ reply_left -= l;
|
|
name[l] = '\0';
|
|
name += l + 1;
|
|
}
|
|
--
|
|
2.10.1
|
|
|