lib/libXrender/CVE-2016-7949.patch

1665N/AFrom 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
1665N/AFrom: Tobias Stoeckmann <tobias@stoeckmann.org>
1665N/ADate: Sun, 25 Sep 2016 21:42:09 +0200
1665N/ASubject: [PATCH:libXrender 1/2] Avoid OOB write in XRenderQueryFilters
1665N/A
1665N/AThe memory for filter names is reserved right after receiving the reply.
1665N/AAfter that, filters are iterated and each individual filter name is
1665N/Astored in that reserved memory.
1665N/A
1665N/AThe individual name lengths are not checked for validity, which means
1665N/Athat a malicious server can reserve less memory than it will write to
1665N/Aduring each iteration.
1665N/A
1665N/Av2: consume remaining bytes in reply buffer on error.
1665N/A
1665N/ASigned-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
1665N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1665N/A---
1665N/A src/Filter.c | 13 ++++++++++++-
1665N/A 1 file changed, 12 insertions(+), 1 deletion(-)
1665N/A
1665N/Adiff --git a/src/Filter.c b/src/Filter.c
1665N/Aindex edfa572..8d701eb 100644
1665N/A--- a/src/Filter.c
1665N/A+++ b/src/Filter.c
1665N/A@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
1665N/A     char           *name;
1665N/A     char           len;
1665N/A     int                i;
1665N/A-    unsigned long      nbytes, nbytesAlias, nbytesName;
1665N/A+    unsigned long      nbytes, nbytesAlias, nbytesName, reply_left;
1665N/A
1665N/A     if (!RenderHasExtension (info))
1665N/A    return NULL;
1665N/A@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
1665N/A      * Read the filter aliases
1665N/A      */
1665N/A     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
1665N/A+    reply_left = 8 + rep.length - 2 * rep.numAliases;;
1665N/A
1665N/A     /*
1665N/A      * Read the filter names
1665N/A@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
1665N/A     {
1665N/A    int l;
1665N/A    _XRead (dpy, &len, 1);
1665N/A+   reply_left--;
1665N/A    l = len & 0xff;
1665N/A+   if ((unsigned long)l + 1 > nbytesName) {
1665N/A+            _XEatDataWords(dpy, reply_left);
1665N/A+       Xfree(filters);
1665N/A+       UnlockDisplay (dpy);
1665N/A+       SyncHandle ();
1665N/A+       return NULL;
1665N/A+   }
1665N/A+   nbytesName -= l + 1;
1665N/A    filters->filter[i] = name;
1665N/A    _XRead (dpy, name, l);
1665N/A+        reply_left -= l;
1665N/A    name[l] = '\0';
1665N/A    name += l + 1;
1665N/A     }
1665N/A--
1665N/A2.7.4
1665N/A