Overview

File U_dix_integer_overflow_in_ProcPutImage.patch of Package xorg-x11-server.5068

Subject: dix: integer overflow in ProcPutImage()
References: bnc#907268, CVE-2014-8092
Patch-Mainline: Upstream
Signed-off-by: Michal Srb <msrb@suse.com>

ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).

The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
---
 dix/dispatch.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/dix/dispatch.c b/dix/dispatch.c
index d844a09..55b978d 100644
--- a/dix/dispatch.c
+++ b/dix/dispatch.c
@@ -2000,6 +2000,9 @@ ProcPutImage(ClientPtr client)
     tmpImage = (char *) &stuff[1];
     lengthProto = length;
 
+    if (lengthProto >= (INT32_MAX / stuff->height))
+        return BadLength;
+
     if ((bytes_to_int32(lengthProto * stuff->height) +
          bytes_to_int32(sizeof(xPutImageReq))) != client->req_len)
         return BadLength;
-- 
1.7.9.2
openSUSE Build Service is sponsored by
Places