Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Chi-Thanh Christopher Nguyen (chithanh)" <chithanh@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in x11-base/xorg-server/files: xorg-server-1.12-cve-2015-3418.patch
Date: Tue, 28 Apr 2015 15:38:20
Message-Id: 20150428153810.29490978@oystercatcher.gentoo.org
1 chithanh 15/04/28 15:38:08
2
3 Added: xorg-server-1.12-cve-2015-3418.patch
4 Log:
5 Add fix for security bug #548002.
6
7 (Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x2324E7B566DF2611!)
8
9 Revision Changes Path
10 1.1 x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch
11
12 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch?rev=1.1&view=markup
13 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch?rev=1.1&content-type=text/plain
14
15 Index: xorg-server-1.12-cve-2015-3418.patch
16 ===================================================================
17 From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001
18 From: Keith Packard <keithp@××××××.com>
19 Date: Sat, 3 Jan 2015 08:46:45 -0800
20 Subject: dix: Allow zero-height PutImage requests
21
22 The length checking code validates PutImage height and byte width by
23 making sure that byte-width >= INT32_MAX / height. If height is zero,
24 this generates a divide by zero exception. Allow zero height requests
25 explicitly, bypassing the INT32_MAX check.
26
27 Signed-off-by: Keith Packard <keithp@××××××.com>
28 Reviewed-by: Alan Coopersmith <alan.coopersmith@××××××.com>
29
30 diff --git a/dix/dispatch.c b/dix/dispatch.c
31 index 55b978d..9044ac7 100644
32 --- a/dix/dispatch.c
33 +++ b/dix/dispatch.c
34 @@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
35 tmpImage = (char *) &stuff[1];
36 lengthProto = length;
37
38 - if (lengthProto >= (INT32_MAX / stuff->height))
39 + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
40 return BadLength;
41
42 if ((bytes_to_int32(lengthProto * stuff->height) +
43 --
44 cgit v0.10.2
Report Message
Find on MARC Find on Google Groups