diff options
| author |   Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> | 2015-04-28 15:38:08 +0000 |
|---|---|---|
| committer | Chí-Thanh Christopher Nguyễn <chithanh@gentoo.org> | 2015-04-28 15:38:08 +0000 |
| commit | 20a673c4408271cb4535f714eb1a3d7443e6af34 (patch) | |
| tree | cfdff0a37abe233ff205ac069ca4b9d947821c82 /x11-base/xorg-server/files | |
| parent | Changing wxMaxima -> wxmaxima in new places, #547548 (diff) | |
| download | gentoo-2-20a673c4408271cb4535f714eb1a3d7443e6af34.tar.gz gentoo-2-20a673c4408271cb4535f714eb1a3d7443e6af34.tar.bz2 gentoo-2-20a673c4408271cb4535f714eb1a3d7443e6af34.zip | |
Add fix for security bug #548002.
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x2324E7B566DF2611!)
Diffstat (limited to 'x11-base/xorg-server/files')
| -rw-r--r-- | x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch b/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch new file mode 100644 index 000000000000..4b6a6aeab29e --- /dev/null +++ b/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch @@ -0,0 +1,29 @@ +From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Sat, 3 Jan 2015 08:46:45 -0800 +Subject: dix: Allow zero-height PutImage requests + +The length checking code validates PutImage height and byte width by +making sure that byte-width >= INT32_MAX / height. If height is zero, +this generates a divide by zero exception. Allow zero height requests +explicitly, bypassing the INT32_MAX check. + +Signed-off-by: Keith Packard <keithp@keithp.com> +Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 55b978d..9044ac7 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client) + tmpImage = (char *) &stuff[1]; + lengthProto = length; + +- if (lengthProto >= (INT32_MAX / stuff->height)) ++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + + if ((bytes_to_int32(lengthProto * stuff->height) + +-- +cgit v0.10.2 + |