Package: release.debian.org Severity: normal Tags: jessie User: release.debian.org@packages.debian.org Usertags: pu One more. Cheers, Julien diff -u libxrender-0.9.8/debian/changelog libxrender-0.9.8/debian/changelog --- libxrender-0.9.8/debian/changelog +++ libxrender-0.9.8/debian/changelog @@ -1,3 +1,11 @@ +libxrender (1:0.9.8-1+deb8u1) jessie; urgency=medium + + * Insufficient validation of data from the X server + can cause out of boundary memory writes. Addresses CVE-2016-7949 and + CVE-2016-7950. + + -- Julien Cristau <jcristau@debian.org> Sat, 28 Jan 2017 15:11:56 +0100 + libxrender (1:0.9.8-1) sid; urgency=low * New upstream release. only in patch2: unchanged: --- libxrender-0.9.8.orig/src/Filter.c +++ libxrender-0.9.8/src/Filter.c @@ -38,7 +38,7 @@ char *name; char len; int i; - unsigned long nbytes, nbytesAlias, nbytesName; + unsigned long nbytes, nbytesAlias, nbytesName, reply_left; if (!RenderHasExtension (info)) return NULL; @@ -114,6 +114,7 @@ * Read the filter aliases */ _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases); + reply_left = 8 + rep.length - 2 * rep.numAliases;; /* * Read the filter names @@ -122,9 +123,19 @@ { int l; _XRead (dpy, &len, 1); + reply_left--; l = len & 0xff; + if ((unsigned long)l + 1 > nbytesName) { + _XEatDataWords(dpy, reply_left); + Xfree(filters); + UnlockDisplay (dpy); + SyncHandle (); + return NULL; + } + nbytesName -= l + 1; filters->filter[i] = name; _XRead (dpy, name, l); + reply_left -= l; name[l] = '\0'; name += l + 1; } only in patch2: unchanged: --- libxrender-0.9.8.orig/src/Xrender.c +++ libxrender-0.9.8/src/Xrender.c @@ -533,12 +533,30 @@ screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); screen->subpixel = SubPixelUnknown; xDepth = (xPictDepth *) (xScreen + 1); + if (screen->ndepths > rep.numDepths) { + Xfree (xri); + Xfree (xData); + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numDepths -= screen->ndepths; for (nd = 0; nd < screen->ndepths; nd++) { depth->depth = xDepth->depth; depth->nvisuals = xDepth->nPictVisuals; depth->visuals = visual; xVisual = (xPictVisual *) (xDepth + 1); + if (depth->nvisuals > rep.numVisuals) { + Xfree (xri); + Xfree (xData); + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return 0; + } + rep.numVisuals -= depth->nvisuals; for (nv = 0; nv < depth->nvisuals; nv++) { visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
Attachment:
signature.asc
Description: PGP signature