[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

xorg-server: Changes to 'debian-stretch'

 debian/changelog |    1 +
 render/render.c  |    4 ++++
 2 files changed, 5 insertions(+)

New commits:
commit ad85f60266fa5f2aade165c0621c4e77b2e01963
Author: Julien Cristau <jcristau@debian.org>
Date:   Fri Oct 13 15:27:25 2017 +0200

    Update changelog

diff --git a/debian/changelog b/debian/changelog
index 3ad93ef..402f14e 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -19,6 +19,7 @@ xorg-server (2:1.19.2-1+deb9u2) UNRELEASED; urgency=high
   * Xext/shm: Validate shmseg resource id (CVE-2017-13721)
   * xkb: Handle xkb formated string output safely (CVE-2017-13723)
   * xkb: Escape non-printable characters correctly.
+  * render: Fix out of boundary heap access
 
  -- Julien Cristau <jcristau@debian.org>  Fri, 13 Oct 2017 14:59:22 +0200
 

commit c00fdf2c642311c674b4ea2b16ee53b5beb7bbf6
Author: Tobias Stoeckmann <tobias@stoeckmann.org>
Date:   Mon Mar 13 19:13:14 2017 +0100

    render: Fix out of boundary heap access
    
    ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must
    be protected against an integer overflow during length check. This is
    already included in ProcRenderCreateLinearGradient since the fix for
    CVE-2008-2362.
    
    This can only be successfully exploited on a 32 bit system for an
    out of boundary read later on. Validated by using ASAN.
    
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    (cherry picked from commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2)

diff --git a/render/render.c b/render/render.c
index 5fa8c05..3a41e33 100644
--- a/render/render.c
+++ b/render/render.c
@@ -1911,6 +1911,8 @@ ProcRenderCreateRadialGradient(ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq);
+    if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+        return BadLength;
     if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
 
@@ -1949,6 +1951,8 @@ ProcRenderCreateConicalGradient(ClientPtr client)
     LEGAL_NEW_RESOURCE(stuff->pid, client);
 
     len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq);
+    if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor)))
+        return BadLength;
     if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor)))
         return BadLength;
Reply to: