unofficial mirror of guix-devel@gnu.org 
 help / color / mirror / code / Atom feed
blob 1a64b6e72446a25f86461664fba8599941ad4cd1 2194 bytes (raw)
name: gnu/packages/patches/libxrender-CVE-2016-7950.patch 	 # note: path name is non-authoritative(*)
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

 
Fix CVE-2016-7950:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950

Patch copied from upstream source repository:

https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714

From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:42:09 +0200
Subject: [PATCH] Avoid OOB write in XRenderQueryFilters

The memory for filter names is reserved right after receiving the reply.
After that, filters are iterated and each individual filter name is
stored in that reserved memory.

The individual name lengths are not checked for validity, which means
that a malicious server can reserve less memory than it will write to
during each iteration.

v2: consume remaining bytes in reply buffer on error.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
 src/Filter.c | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/src/Filter.c b/src/Filter.c
index edfa572..8d701eb 100644
--- a/src/Filter.c
+++ b/src/Filter.c
@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
     char			*name;
     char			len;
     int				i;
-    unsigned long		nbytes, nbytesAlias, nbytesName;
+    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
 
     if (!RenderHasExtension (info))
 	return NULL;
@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
      * Read the filter aliases
      */
     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
+    reply_left = 8 + rep.length - 2 * rep.numAliases;;
 
     /*
      * Read the filter names
@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
     {
 	int	l;
 	_XRead (dpy, &len, 1);
+	reply_left--;
 	l = len & 0xff;
+	if ((unsigned long)l + 1 > nbytesName) {
+            _XEatDataWords(dpy, reply_left);
+	    Xfree(filters);
+	    UnlockDisplay (dpy);
+	    SyncHandle ();
+	    return NULL;
+	}
+	nbytesName -= l + 1;
 	filters->filter[i] = name;
 	_XRead (dpy, name, l);
+        reply_left -= l;
 	name[l] = '\0';
 	name += l + 1;
     }
-- 
2.10.1


debug log:

solving 1a64b6e ...
found 1a64b6e in https://git.savannah.gnu.org/cgit/guix.git

(*) Git path names are given by the tree(s) the blob belongs to.
    Blobs themselves have no identifier aside from the hash of its contents.^
Code repositories for project(s) associated with this public inbox

	https://git.savannah.gnu.org/cgit/guix.git

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).