lib/libX11/CVE-2016-7942.patch

1665N/AFrom 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
1665N/AFrom: Tobias Stoeckmann <tobias@stoeckmann.org>
1665N/ADate: Sun, 25 Sep 2016 21:25:25 +0200
1665N/ASubject: [PATCH:libX11] Validation of server responses in XGetImage()
1665N/A
1665N/ACheck if enough bytes were received for specified image type and
1665N/Ageometry. Otherwise GetPixel and other functions could trigger an
1665N/Aout of boundary read later on.
1665N/A
1665N/ASigned-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
1665N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1665N/A---
1665N/A src/GetImage.c | 29 ++++++++++++++++++++---------
1665N/A 1 file changed, 20 insertions(+), 9 deletions(-)
1665N/A
1665N/Adiff --git a/src/GetImage.c b/src/GetImage.c
1665N/Aindex c461abc..ff32d58 100644
1665N/A--- a/src/GetImage.c
1665N/A+++ b/src/GetImage.c
1665N/A@@ -59,6 +59,7 @@ XImage *XGetImage (
1665N/A    char *data;
1665N/A    unsigned long nbytes;
1665N/A    XImage *image;
1665N/A+   int planes;
1665N/A    LockDisplay(dpy);
1665N/A    GetReq (GetImage, req);
1665N/A    /*
1665N/A@@ -91,18 +92,28 @@ XImage *XGetImage (
1665N/A        return (XImage *) NULL;
1665N/A    }
1665N/A         _XReadPad (dpy, data, nbytes);
1665N/A-        if (format == XYPixmap)
1665N/A-      image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
1665N/A-         Ones (plane_mask &
1665N/A-           (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
1665N/A-         format, 0, data, width, height, dpy->bitmap_pad, 0);
1665N/A-   else /* format == ZPixmap */
1665N/A-           image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
1665N/A-        rep.depth, ZPixmap, 0, data, width, height,
1665N/A-         _XGetScanlinePad(dpy, (int) rep.depth), 0);
1665N/A+        if (format == XYPixmap) {
1665N/A+       image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
1665N/A+       Ones (plane_mask &
1665N/A+           (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
1665N/A+       format, 0, data, width, height, dpy->bitmap_pad, 0);
1665N/A+       planes = image->depth;
1665N/A+   } else { /* format == ZPixmap */
1665N/A+            image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
1665N/A+       rep.depth, ZPixmap, 0, data, width, height,
1665N/A+           _XGetScanlinePad(dpy, (int) rep.depth), 0);
1665N/A+       planes = 1;
1665N/A+   }
1665N/A
1665N/A    if (!image)
1665N/A        Xfree(data);
1665N/A+   if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
1665N/A+       INT_MAX / image->height <= image->bytes_per_line ||
1665N/A+       INT_MAX / planes <= image->height * image->bytes_per_line ||
1665N/A+       nbytes < planes * image->height * image->bytes_per_line) {
1665N/A+       XDestroyImage(image);
1665N/A+       image = NULL;
1665N/A+   }
1665N/A    UnlockDisplay(dpy);
1665N/A    SyncHandle();
1665N/A    return (image);
1665N/A--
1665N/A2.7.4
1665N/A