lib/libXrender/CVE-2016-7950.patch

1665N/AFrom 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
1665N/AFrom: Tobias Stoeckmann <tobias@stoeckmann.org>
1665N/ADate: Sun, 25 Sep 2016 21:43:09 +0200
1665N/ASubject: [PATCH:libXrender 2/2] Validate lengths while parsing server data.
1665N/A
1665N/AIndividual lengths inside received server data can overflow
1665N/Athe previously reserved memory.
1665N/A
1665N/AIt is therefore important to validate every single length
1665N/Afield to not overflow the previously agreed sum of all invidual
1665N/Alength fields.
1665N/A
1665N/Av2: consume remaining bytes in the reply buffer on error.
1665N/A
1665N/ASigned-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
1665N/AReviewed-by: Matthieu Herrb@laas.fr
1665N/A---
1665N/A src/Xrender.c | 18 ++++++++++++++++++
1665N/A 1 file changed, 18 insertions(+)
1665N/A
1665N/Adiff --git a/src/Xrender.c b/src/Xrender.c
1665N/Aindex 3102eb2..71cf3e6 100644
1665N/A--- a/src/Xrender.c
1665N/A+++ b/src/Xrender.c
1665N/A@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
1665N/A    screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
1665N/A    screen->subpixel = SubPixelUnknown;
1665N/A    xDepth = (xPictDepth *) (xScreen + 1);
1665N/A+   if (screen->ndepths > rep.numDepths) {
1665N/A+       Xfree (xri);
1665N/A+       Xfree (xData);
1665N/A+       _XEatDataWords (dpy, rep.length);
1665N/A+       UnlockDisplay (dpy);
1665N/A+       SyncHandle ();
1665N/A+       return 0;
1665N/A+   }
1665N/A+   rep.numDepths -= screen->ndepths;
1665N/A    for (nd = 0; nd < screen->ndepths; nd++)
1665N/A    {
1665N/A        depth->depth = xDepth->depth;
1665N/A        depth->nvisuals = xDepth->nPictVisuals;
1665N/A        depth->visuals = visual;
1665N/A        xVisual = (xPictVisual *) (xDepth + 1);
1665N/A+       if (depth->nvisuals > rep.numVisuals) {
1665N/A+       Xfree (xri);
1665N/A+       Xfree (xData);
1665N/A+       _XEatDataWords (dpy, rep.length);
1665N/A+       UnlockDisplay (dpy);
1665N/A+       SyncHandle ();
1665N/A+       return 0;
1665N/A+       }
1665N/A+       rep.numVisuals -= depth->nvisuals;
1665N/A        for (nv = 0; nv < depth->nvisuals; nv++)
1665N/A        {
1665N/A        visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
1665N/A--
1665N/A2.7.4
1665N/A