CVE-2016-7942.patch revision 1665
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsyncFrom 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsyncFrom: Tobias Stoeckmann <tobias@stoeckmann.org>
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsyncDate: Sun, 25 Sep 2016 21:25:25 +0200
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsyncSubject: [PATCH:libX11] Validation of server responses in XGetImage()
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsync
c9358b62c913b00a8d9d2f1a2e2f6513d9fa8460vboxsyncCheck if enough bytes were received for specified image type and
c58f1213e628a545081c70e26c6b67a841cff880vboxsyncgeometry. Otherwise GetPixel and other functions could trigger an
c9358b62c913b00a8d9d2f1a2e2f6513d9fa8460vboxsyncout of boundary read later on.
c9358b62c913b00a8d9d2f1a2e2f6513d9fa8460vboxsync
c9358b62c913b00a8d9d2f1a2e2f6513d9fa8460vboxsyncSigned-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
c9358b62c913b00a8d9d2f1a2e2f6513d9fa8460vboxsyncReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
6eea1c2a48951b898f17a82b2432e5233226d6cdvboxsync---
6eea1c2a48951b898f17a82b2432e5233226d6cdvboxsync src/GetImage.c | 29 ++++++++++++++++++++---------
6eea1c2a48951b898f17a82b2432e5233226d6cdvboxsync 1 file changed, 20 insertions(+), 9 deletions(-)
6eea1c2a48951b898f17a82b2432e5233226d6cdvboxsync
6eea1c2a48951b898f17a82b2432e5233226d6cdvboxsyncdiff --git a/src/GetImage.c b/src/GetImage.c
c9358b62c913b00a8d9d2f1a2e2f6513d9fa8460vboxsyncindex c461abc..ff32d58 100644
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsync--- a/src/GetImage.c
7529922bd11d7d1c38fbdc7bad6aec83eb2ec0advboxsync+++ b/src/GetImage.c
fd2c90789f0400466ad9fb09b5da54acf22ecbd3vboxsync@@ -59,6 +59,7 @@ XImage *XGetImage (
6be66de4257f4f564e35f7b8ee57a282e3cf3e96vboxsync char *data;
7529922bd11d7d1c38fbdc7bad6aec83eb2ec0advboxsync unsigned long nbytes;
1c2c968fd241148110002d75b2c0fdeddc211e14vboxsync XImage *image;
7529922bd11d7d1c38fbdc7bad6aec83eb2ec0advboxsync+ int planes;
7529922bd11d7d1c38fbdc7bad6aec83eb2ec0advboxsync LockDisplay(dpy);
7529922bd11d7d1c38fbdc7bad6aec83eb2ec0advboxsync GetReq (GetImage, req);
da6747c2419b9cea8b5e2c576a30a5de999a8ab3vboxsync /*
1c2c968fd241148110002d75b2c0fdeddc211e14vboxsync@@ -91,18 +92,28 @@ XImage *XGetImage (
1c2c968fd241148110002d75b2c0fdeddc211e14vboxsync return (XImage *) NULL;
da6747c2419b9cea8b5e2c576a30a5de999a8ab3vboxsync }
1c2c968fd241148110002d75b2c0fdeddc211e14vboxsync _XReadPad (dpy, data, nbytes);
e5b0ff3f3e94647e5f10222bafd1551eb503342dvboxsync- if (format == XYPixmap)
- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
- Ones (plane_mask &
- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
- format, 0, data, width, height, dpy->bitmap_pad, 0);
- else /* format == ZPixmap */
- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
- rep.depth, ZPixmap, 0, data, width, height,
- _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ if (format == XYPixmap) {
+ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+ Ones (plane_mask &
+ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+ format, 0, data, width, height, dpy->bitmap_pad, 0);
+ planes = image->depth;
+ } else { /* format == ZPixmap */
+ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+ rep.depth, ZPixmap, 0, data, width, height,
+ _XGetScanlinePad(dpy, (int) rep.depth), 0);
+ planes = 1;
+ }
if (!image)
Xfree(data);
+ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
+ INT_MAX / image->height <= image->bytes_per_line ||
+ INT_MAX / planes <= image->height * image->bytes_per_line ||
+ nbytes < planes * image->height * image->bytes_per_line) {
+ XDestroyImage(image);
+ image = NULL;
+ }
UnlockDisplay(dpy);
SyncHandle();
return (image);
--
2.7.4