Bug#852954: jessie-pu: package libxrender/1:0.9.8-1+deb8u1

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#852954: jessie-pu: package libxrender/1:0.9.8-1+deb8u1
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 28 Jan 2017 15:30:54 +0100
Message-id: <[🔎] 20170128143054.wlek4ni4wf4x7hmc@betterave.cristau.org>
Reply-to: Julien Cristau <jcristau@debian.org>, 852954@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian.org@packages.debian.org
Usertags: pu

One more.

Cheers,
Julien

diff -u libxrender-0.9.8/debian/changelog libxrender-0.9.8/debian/changelog
--- libxrender-0.9.8/debian/changelog
+++ libxrender-0.9.8/debian/changelog
@@ -1,3 +1,11 @@
+libxrender (1:0.9.8-1+deb8u1) jessie; urgency=medium
+
+  * Insufficient validation of data from the X server
+    can cause out of boundary memory writes.  Addresses CVE-2016-7949 and
+    CVE-2016-7950.
+
+ -- Julien Cristau <jcristau@debian.org>  Sat, 28 Jan 2017 15:11:56 +0100
+
 libxrender (1:0.9.8-1) sid; urgency=low
 
   * New upstream release.
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Filter.c
+++ libxrender-0.9.8/src/Filter.c
@@ -38,7 +38,7 @@
     char			*name;
     char			len;
     int				i;
-    unsigned long		nbytes, nbytesAlias, nbytesName;
+    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
 
     if (!RenderHasExtension (info))
 	return NULL;
@@ -114,6 +114,7 @@
      * Read the filter aliases
      */
     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
+    reply_left = 8 + rep.length - 2 * rep.numAliases;;
 
     /*
      * Read the filter names
@@ -122,9 +123,19 @@
     {
 	int	l;
 	_XRead (dpy, &len, 1);
+	reply_left--;
 	l = len & 0xff;
+	if ((unsigned long)l + 1 > nbytesName) {
+            _XEatDataWords(dpy, reply_left);
+	    Xfree(filters);
+	    UnlockDisplay (dpy);
+	    SyncHandle ();
+	    return NULL;
+	}
+	nbytesName -= l + 1;
 	filters->filter[i] = name;
 	_XRead (dpy, name, l);
+        reply_left -= l;
 	name[l] = '\0';
 	name += l + 1;
     }
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Xrender.c
+++ libxrender-0.9.8/src/Xrender.c
@@ -533,12 +533,30 @@
 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
 	screen->subpixel = SubPixelUnknown;
 	xDepth = (xPictDepth *) (xScreen + 1);
+	if (screen->ndepths > rep.numDepths) {
+	    Xfree (xri);
+	    Xfree (xData);
+	    _XEatDataWords (dpy, rep.length);
+	    UnlockDisplay (dpy);
+	    SyncHandle ();
+	    return 0;
+	}
+	rep.numDepths -= screen->ndepths;
 	for (nd = 0; nd < screen->ndepths; nd++)
 	{
 	    depth->depth = xDepth->depth;
 	    depth->nvisuals = xDepth->nPictVisuals;
 	    depth->visuals = visual;
 	    xVisual = (xPictVisual *) (xDepth + 1);
+	    if (depth->nvisuals > rep.numVisuals) {
+		Xfree (xri);
+		Xfree (xData);
+		_XEatDataWords (dpy, rep.length);
+		UnlockDisplay (dpy);
+		SyncHandle ();
+		return 0;
+	    }
+	    rep.numVisuals -= depth->nvisuals;
 	    for (nv = 0; nv < depth->nvisuals; nv++)
 	    {
 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);

Attachment: signature.asc
Description: PGP signature

Reply to:

Prev by Date: Re: Draft for taging 32 RC bugs with can-defer, will-remove or is-blocker
Next by Date: Bug#852945: RM: packages that migrated by mistake, batch 1
Previous by thread: Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Next by thread: Processed: Add bug dependencies
Index(es):
- Date
- Thread