aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2017-01-27 08:26:12 +0100
committerRichard Purdie <richard.purdie@linuxfoundation.org>2017-02-08 11:59:59 +0000
commit87ffd7ce2e8ece8b44ff3f1c219a74b3590cf14b (patch)
treeac01634ed4899eb71cbdd58984aa0d869e7e9686
parentb0c70bef015f1b2a30556a5db5e255592d5bf316 (diff)
downloadopenembedded-core-contrib-87ffd7ce2e8ece8b44ff3f1c219a74b3590cf14b.tar.gz
libxrender: CVE-2016-7949
Insufficient validation of server responses results in overflow of previously reserved memory Upstream patch: https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4 External References: https://lists.x.org/archives/xorg-announce/2016-October/002720.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-7949 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
-rw-r--r--meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch59
-rw-r--r--meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb3
2 files changed, 62 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
new file mode 100644
index 0000000000..73315b1084
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
@@ -0,0 +1,59 @@
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+CVE: CVE-2016-7949
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb@laas.fr
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+ screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+ screen->subpixel = SubPixelUnknown;
+ xDepth = (xPictDepth *) (xScreen + 1);
++ if (screen->ndepths > rep.numDepths) {
++ Xfree (xri);
++ Xfree (xData);
++ _XEatDataWords (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return 0;
++ }
++ rep.numDepths -= screen->ndepths;
+ for (nd = 0; nd < screen->ndepths; nd++)
+ {
+ depth->depth = xDepth->depth;
+ depth->nvisuals = xDepth->nPictVisuals;
+ depth->visuals = visual;
+ xVisual = (xPictVisual *) (xDepth + 1);
++ if (depth->nvisuals > rep.numVisuals) {
++ Xfree (xri);
++ Xfree (xData);
++ _XEatDataWords (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return 0;
++ }
++ rep.numVisuals -= depth->nvisuals;
+ for (nv = 0; nv < depth->nvisuals; nv++)
+ {
+ visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+--
+cgit v0.10.2
+
diff --git a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
index 44cb2e0ebb..eac367906c 100644
--- a/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
+++ b/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
@@ -19,5 +19,8 @@ XORG_PN = "libXrender"
BBCLASSEXTEND = "native nativesdk"
+SRC_URI += "file://CVE-2016-7949.patch \
+ "
+
SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622"
SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a"