1 |
chithanh 15/04/28 15:38:08 |
2 |
|
3 |
Added: xorg-server-1.12-cve-2015-3418.patch |
4 |
Log: |
5 |
Add fix for security bug #548002. |
6 |
|
7 |
(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x2324E7B566DF2611!) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: xorg-server-1.12-cve-2015-3418.patch |
16 |
=================================================================== |
17 |
From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001 |
18 |
From: Keith Packard <keithp@××××××.com> |
19 |
Date: Sat, 3 Jan 2015 08:46:45 -0800 |
20 |
Subject: dix: Allow zero-height PutImage requests |
21 |
|
22 |
The length checking code validates PutImage height and byte width by |
23 |
making sure that byte-width >= INT32_MAX / height. If height is zero, |
24 |
this generates a divide by zero exception. Allow zero height requests |
25 |
explicitly, bypassing the INT32_MAX check. |
26 |
|
27 |
Signed-off-by: Keith Packard <keithp@××××××.com> |
28 |
Reviewed-by: Alan Coopersmith <alan.coopersmith@××××××.com> |
29 |
|
30 |
diff --git a/dix/dispatch.c b/dix/dispatch.c |
31 |
index 55b978d..9044ac7 100644 |
32 |
--- a/dix/dispatch.c |
33 |
+++ b/dix/dispatch.c |
34 |
@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client) |
35 |
tmpImage = (char *) &stuff[1]; |
36 |
lengthProto = length; |
37 |
|
38 |
- if (lengthProto >= (INT32_MAX / stuff->height)) |
39 |
+ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) |
40 |
return BadLength; |
41 |
|
42 |
if ((bytes_to_int32(lengthProto * stuff->height) + |
43 |
-- |
44 |
cgit v0.10.2 |