debian/changelog | 1 + render/render.c | 4 ++++ 2 files changed, 5 insertions(+)
New commits: commit ad85f60266fa5f2aade165c0621c4e77b2e01963 Author: Julien Cristau <[email protected]> Date: Fri Oct 13 15:27:25 2017 +0200 Update changelog diff --git a/debian/changelog b/debian/changelog index 3ad93ef..402f14e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -19,6 +19,7 @@ xorg-server (2:1.19.2-1+deb9u2) UNRELEASED; urgency=high * Xext/shm: Validate shmseg resource id (CVE-2017-13721) * xkb: Handle xkb formated string output safely (CVE-2017-13723) * xkb: Escape non-printable characters correctly. + * render: Fix out of boundary heap access -- Julien Cristau <[email protected]> Fri, 13 Oct 2017 14:59:22 +0200 commit c00fdf2c642311c674b4ea2b16ee53b5beb7bbf6 Author: Tobias Stoeckmann <[email protected]> Date: Mon Mar 13 19:13:14 2017 +0100 render: Fix out of boundary heap access ProcRenderCreateRadialGradient and ProcRenderCreateConicalGradient must be protected against an integer overflow during length check. This is already included in ProcRenderCreateLinearGradient since the fix for CVE-2008-2362. This can only be successfully exploited on a 32 bit system for an out of boundary read later on. Validated by using ASAN. Reviewed-by: Adam Jackson <[email protected]> (cherry picked from commit ac15d4cecca377c5c31ab852c39bbd554ca48fe2) diff --git a/render/render.c b/render/render.c index 5fa8c05..3a41e33 100644 --- a/render/render.c +++ b/render/render.c @@ -1911,6 +1911,8 @@ ProcRenderCreateRadialGradient(ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateRadialGradientReq); + if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor))) return BadLength; @@ -1949,6 +1951,8 @@ ProcRenderCreateConicalGradient(ClientPtr client) LEGAL_NEW_RESOURCE(stuff->pid, client); len = (client->req_len << 2) - sizeof(xRenderCreateConicalGradientReq); + if (stuff->nStops > UINT32_MAX / (sizeof(xFixed) + sizeof(xRenderColor))) + return BadLength; if (len != stuff->nStops * (sizeof(xFixed) + sizeof(xRenderColor))) return BadLength;
