Bug#852947: jessie-pu: package libx11/2:1.6.2-3+deb8u1

[Julien Cristau <jcristau@debian.org>]

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

This is a bunch of CVE fixes, already in wheezy-lts and sid.

Cheers,
Julien

diff -u libx11-1.6.2/debian/changelog libx11-1.6.2/debian/changelog
--- libx11-1.6.2/debian/changelog
+++ libx11-1.6.2/debian/changelog
@@ -1,3 +1,11 @@
+libx11 (2:1.6.2-3+deb8u1) jessie; urgency=medium
+
+  * Insufficient validation of data from the X server can cause out of
+    boundary memory read (XGetImage()) or write (XListFonts()).
+    Addresses CVE-2016-7942 and CVE-2016-7943.
+
+ -- Julien Cristau <jcristau@debian.org>  Sat, 28 Jan 2017 14:01:35 +0100
+
 libx11 (2:1.6.2-3) unstable; urgency=medium
 
   [ Julien Cristau ]
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/FontNames.c
+++ libx11-1.6.2/src/FontNames.c
@@ -43,6 +43,7 @@
     register int length;
     char **flist = NULL;
     char *ch = NULL;
+    char *chstart;
     char *chend;
     int count = 0;
     xListFontsReply rep;
@@ -66,7 +67,7 @@
 
     if (rep.nFonts) {
 	flist = Xmalloc (rep.nFonts * sizeof(char *));
-	if (rep.length < (INT_MAX >> 2)) {
+	if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
 	    rlen = rep.length << 2;
 	    ch = Xmalloc(rlen + 1);
 	    /* +1 to leave room for last null-terminator */
@@ -86,6 +87,7 @@
 	/*
 	 * unpack into null terminated strings.
 	 */
+	chstart = ch;
 	chend = ch + (rlen + 1);
 	length = *(unsigned char *)ch;
 	*ch = 1; /* make sure it is non-zero for XFreeFontNames */
@@ -93,11 +95,24 @@
 	    if (ch + length < chend) {
 		flist[i] = ch + 1;  /* skip over length */
 		ch += length + 1;  /* find next length ... */
-		length = *(unsigned char *)ch;
-		*ch = '\0';  /* and replace with null-termination */
-		count++;
-	    } else
-		flist[i] = NULL;
+		if (ch <= chend) {
+		    length = *(unsigned char *)ch;
+		    *ch = '\0';  /* and replace with null-termination */
+		    count++;
+		} else {
+                    Xfree(chstart);
+                    Xfree(flist);
+                    flist = NULL;
+                    count = 0;
+                    break;
+		}
+	    } else {
+                Xfree(chstart);
+                Xfree(flist);
+                flist = NULL;
+                count = 0;
+                break;
+            }
 	}
     }
     *actualCount = count;
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/GetImage.c
+++ libx11-1.6.2/src/GetImage.c
@@ -59,6 +59,7 @@
 	char *data;
 	unsigned long nbytes;
 	XImage *image;
+	int planes;
 	LockDisplay(dpy);
 	GetReq (GetImage, req);
 	/*
@@ -91,18 +92,28 @@
 	    return (XImage *) NULL;
 	}
         _XReadPad (dpy, data, nbytes);
-        if (format == XYPixmap)
-	   image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
-		  Ones (plane_mask &
-			(((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
-		  format, 0, data, width, height, dpy->bitmap_pad, 0);
-	else /* format == ZPixmap */
-           image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
-		 rep.depth, ZPixmap, 0, data, width, height,
-		  _XGetScanlinePad(dpy, (int) rep.depth), 0);
+        if (format == XYPixmap) {
+	    image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+		Ones (plane_mask &
+		    (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+		format, 0, data, width, height, dpy->bitmap_pad, 0);
+	    planes = image->depth;
+	} else { /* format == ZPixmap */
+            image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+		rep.depth, ZPixmap, 0, data, width, height,
+		    _XGetScanlinePad(dpy, (int) rep.depth), 0);
+	    planes = 1;
+	}
 
 	if (!image)
 	    Xfree(data);
+	if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
+	    INT_MAX / image->height <= image->bytes_per_line ||
+	    INT_MAX / planes <= image->height * image->bytes_per_line ||
+	    nbytes < planes * image->height * image->bytes_per_line) {
+	    XDestroyImage(image);
+	    image = NULL;
+	}
 	UnlockDisplay(dpy);
 	SyncHandle();
 	return (image);
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/ListExt.c
+++ libx11-1.6.2/src/ListExt.c
@@ -55,7 +55,7 @@
 
 	if (rep.nExtensions) {
 	    list = Xmalloc (rep.nExtensions * sizeof (char *));
-	    if (rep.length < (INT_MAX >> 2)) {
+	    if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
 		rlen = rep.length << 2;
 		ch = Xmalloc (rlen + 1);
                 /* +1 to leave room for last null-terminator */
@@ -80,9 +80,13 @@
 		if (ch + length < chend) {
 		    list[i] = ch+1;  /* skip over length */
 		    ch += length + 1; /* find next length ... */
-		    length = *ch;
-		    *ch = '\0'; /* and replace with null-termination */
-		    count++;
+		    if (ch <= chend) {
+			length = *ch;
+			*ch = '\0'; /* and replace with null-termination */
+			count++;
+		    } else {
+			list[i] = NULL;
+		    }
 		} else
 		    list[i] = NULL;
 	    }
only in patch2:
unchanged:
--- libx11-1.6.2.orig/src/ModMap.c
+++ libx11-1.6.2/src/ModMap.c
@@ -42,7 +42,8 @@
     GetEmptyReq(GetModifierMapping, req);
     (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
 
-    if (rep.length < (INT_MAX >> 2)) {
+    if (rep.length < (INT_MAX >> 2) &&
+	(rep.length >> 1) == rep.numKeyPerModifier) {
 	nbytes = (unsigned long)rep.length << 2;
 	res = Xmalloc(sizeof (XModifierKeymap));
 	if (res)