Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
xorg-x11-server.1965
U_dix_integer_overflow_in_ProcPutImage.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File U_dix_integer_overflow_in_ProcPutImage.patch of Package xorg-x11-server.1965
Subject: dix: integer overflow in ProcPutImage() References: bnc#907268, CVE-2014-8092 Patch-Mainline: Upstream Signed-off-by: Michal Srb <msrb@suse.com> ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> --- dix/dispatch.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/dix/dispatch.c b/dix/dispatch.c index d844a09..55b978d 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1]; lengthProto = length; + if (lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + if ((bytes_to_int32(lengthProto * stuff->height) + bytes_to_int32(sizeof(xPutImageReq))) != client->req_len) return BadLength; -- 1.7.9.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor