Processed: Re: Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Processing control commands: > tags -1 + pending Bug #852952 [release.debian.org] jessie-pu: package libxrandr/2:1.4.2-1+deb8u1 Added tag(s) pending. -- 852952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852952 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Control: tags -1 + pending On Sat, 2017-11-18 at 18:37 +, Adam D. Barratt wrote: > Control: tags -1 + confirmed > > On Sat, 2017-09-09 at 13:49 +0200, Julien Cristau wrote: > > Control: tag -1 - moreinfo > > > > On Sat, Jan 28, 2017 at 15:10:24 +0100, Julien Cristau wrote: > > > > > Package: release.debian.org > > > Severity: normal > > > Tags: jessie > > > User: release.debian@packages.debian.org > > > Usertags: pu > > > > > > > New patch, now with less memory leak. I've also attached the diff > > from > > the previous one. > > > > Please go ahead. Flagged for acceptance. Regards, Adam
Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Control: tags -1 + confirmed On Sat, 2017-09-09 at 13:49 +0200, Julien Cristau wrote: > Control: tag -1 - moreinfo > > On Sat, Jan 28, 2017 at 15:10:24 +0100, Julien Cristau wrote: > > > Package: release.debian.org > > Severity: normal > > Tags: jessie > > User: release.debian@packages.debian.org > > Usertags: pu > > > > New patch, now with less memory leak. I've also attached the diff > from > the previous one. > Please go ahead. Regards, Adam
Processed: Re: Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Processing control commands: > tags -1 + confirmed Bug #852952 [release.debian.org] jessie-pu: package libxrandr/2:1.4.2-1+deb8u1 Added tag(s) confirmed. -- 852952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852952 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Control: tag -1 - moreinfo On Sat, Jan 28, 2017 at 15:10:24 +0100, Julien Cristau wrote: > Package: release.debian.org > Severity: normal > Tags: jessie > User: release.debian@packages.debian.org > Usertags: pu > New patch, now with less memory leak. I've also attached the diff from the previous one. Cheers, Julien diff --git a/debian/changelog b/debian/changelog index 0f83cd4..e804fe2 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libxrandr (2:1.4.2-1+deb8u1) jessie; urgency=medium + + * Avoid out of boundary accesses on illegal responses. Addresses +CVE-2016-7947 and CVE-2016-7948. + + -- Julien CristauSat, 09 Sep 2017 13:45:59 +0200 + libxrandr (2:1.4.2-1) sid; urgency=medium * New upstream release. diff --git a/src/XrrConfig.c b/src/XrrConfig.c index 2f0282b..e68c45a 100644 --- a/src/XrrConfig.c +++ b/src/XrrConfig.c @@ -29,6 +29,7 @@ #include #endif +#include #include #include /* we need to be able to manipulate the Display structure on events */ @@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy, rep.rate = 0; rep.nrateEnts = 0; } +if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; -nbytes = (long) rep.length << 2; + nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + + ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */); -nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + - ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ -/* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ + rbytes = sizeof (XRRScreenConfiguration) + + (rep.nSizes * sizeof (XRRScreenSize) + + rep.nrateEnts * sizeof (int)); -rbytes = sizeof (XRRScreenConfiguration) + - (rep.nSizes * sizeof (XRRScreenSize) + - rep.nrateEnts * sizeof (int)); + scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); +} else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + scp = NULL; +} -scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); if (scp == NULL) { _XEatData (dpy, (unsigned long) nbytes); return NULL; diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c index a704a52..b10bad4 100644 --- a/src/XrrCrtc.c +++ b/src/XrrCrtc.c @@ -24,6 +24,7 @@ #include #endif +#include #include #include /* we need to be able to manipulate the Display structure on events */ @@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) return NULL; } -nbytes = (long) rep.length << 2; +if (rep.length < INT_MAX >> 2) +{ + nbytes = (long) rep.length << 2; -nbytesRead = (long) (rep.nOutput * 4 + - rep.nPossibleOutput * 4); + nbytesRead = (long) (rep.nOutput * 4 + + rep.nPossibleOutput * 4); -/* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ + /* + * first we must compute how much space to allocate for + * randr library's use; we'll allocate the structures in a single + * allocation, on cleanlyness grounds. + */ -rbytes = (sizeof (XRRCrtcInfo) + - rep.nOutput * sizeof (RROutput) + - rep.nPossibleOutput * sizeof (RROutput)); + rbytes = (sizeof (XRRCrtcInfo) + + rep.nOutput * sizeof (RROutput) + + rep.nPossibleOutput * sizeof (RROutput)); + + xci = (XRRCrtcInfo *) Xmalloc(rbytes); +} +else +{ + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xci = NULL; +} -xci = (XRRCrtcInfo *) Xmalloc(rbytes); if (xci == NULL) { _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); @@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc) if (!_XReply (dpy, (xReply *) , 0, xFalse)) goto out; -nbytes = (long) rep.length << 2; +if (rep.length < INT_MAX >> 2) +{ + nbytes = (long) rep.length << 2; -/* three channels of CARD16 data */ -nbytesRead = (rep.size * 2 * 3); + /* three channels of CARD16 data */ + nbytesRead = (rep.size * 2 * 3); -crtc_gamma = XRRAllocGamma (rep.size); + crtc_gamma = XRRAllocGamma (rep.size); +} +else +{ + nbytes = 0; + nbytesRead = 0; + crtc_gamma = NULL; +} if (!crtc_gamma) { @@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy, xRRGetCrtcTransformReq *req; intmajor_version, minor_version; XRRCrtcTransformAttributes *attr; -char *extra = NULL, *e; +char *extra = NULL, *end = NULL, *e; intp; *attributes = NULL; @@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy, else { int extraBytes = rep.length * 4 -
Processed: Re: Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Processing control commands: > tag -1 - moreinfo Bug #852952 [release.debian.org] jessie-pu: package libxrandr/2:1.4.2-1+deb8u1 Removed tag(s) moreinfo. -- 852952: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=852952 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#852952: jessie-pu: package libxrandr/2:1.4.2-1+deb8u1
Package: release.debian.org Severity: normal Tags: jessie User: release.debian@packages.debian.org Usertags: pu As with libx11 and libxfixes... Cheers, Julien diff -u libxrandr-1.4.2/debian/changelog libxrandr-1.4.2/debian/changelog --- libxrandr-1.4.2/debian/changelog +++ libxrandr-1.4.2/debian/changelog @@ -1,3 +1,10 @@ +libxrandr (2:1.4.2-1+deb8u1) jessie; urgency=medium + + * Avoid out of boundary accesses on illegal responses. Addresses +CVE-2016-7947 and CVE-2016-7948. + + -- Julien CristauSat, 28 Jan 2017 15:00:17 +0100 + libxrandr (2:1.4.2-1) sid; urgency=medium * New upstream release. only in patch2: unchanged: --- libxrandr-1.4.2.orig/src/XrrConfig.c +++ libxrandr-1.4.2/src/XrrConfig.c @@ -29,6 +29,7 @@ #include #endif +#include #include #include /* we need to be able to manipulate the Display structure on events */ @@ -272,23 +273,30 @@ rep.rate = 0; rep.nrateEnts = 0; } +if (rep.length < INT_MAX >> 2) { + nbytes = (long) rep.length << 2; -nbytes = (long) rep.length << 2; + nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + + ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */); -nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + -((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); + /* +* first we must compute how much space to allocate for +* randr library's use; we'll allocate the structures in a single +* allocation, on cleanlyness grounds. +*/ + + rbytes = sizeof (XRRScreenConfiguration) + + (rep.nSizes * sizeof (XRRScreenSize) + + rep.nrateEnts * sizeof (int)); -/* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ - -rbytes = sizeof (XRRScreenConfiguration) + - (rep.nSizes * sizeof (XRRScreenSize) + - rep.nrateEnts * sizeof (int)); + scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); +} else { + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + scp = NULL; +} -scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); if (scp == NULL) { _XEatData (dpy, (unsigned long) nbytes); return NULL; only in patch2: unchanged: --- libxrandr-1.4.2.orig/src/XrrCrtc.c +++ libxrandr-1.4.2/src/XrrCrtc.c @@ -24,6 +24,7 @@ #include #endif +#include #include #include /* we need to be able to manipulate the Display structure on events */ @@ -57,22 +58,33 @@ return NULL; } -nbytes = (long) rep.length << 2; +if (rep.length < INT_MAX >> 2) +{ + nbytes = (long) rep.length << 2; -nbytesRead = (long) (rep.nOutput * 4 + -rep.nPossibleOutput * 4); + nbytesRead = (long) (rep.nOutput * 4 + +rep.nPossibleOutput * 4); -/* - * first we must compute how much space to allocate for - * randr library's use; we'll allocate the structures in a single - * allocation, on cleanlyness grounds. - */ + /* +* first we must compute how much space to allocate for +* randr library's use; we'll allocate the structures in a single +* allocation, on cleanlyness grounds. +*/ + + rbytes = (sizeof (XRRCrtcInfo) + + rep.nOutput * sizeof (RROutput) + + rep.nPossibleOutput * sizeof (RROutput)); -rbytes = (sizeof (XRRCrtcInfo) + - rep.nOutput * sizeof (RROutput) + - rep.nPossibleOutput * sizeof (RROutput)); + xci = (XRRCrtcInfo *) Xmalloc(rbytes); +} +else +{ + nbytes = 0; + nbytesRead = 0; + rbytes = 0; + xci = NULL; +} -xci = (XRRCrtcInfo *) Xmalloc(rbytes); if (xci == NULL) { _XEatDataWords (dpy, rep.length); UnlockDisplay (dpy); @@ -194,12 +206,21 @@ if (!_XReply (dpy, (xReply *) , 0, xFalse)) goto out; -nbytes = (long) rep.length << 2; +if (rep.length < INT_MAX >> 2) +{ + nbytes = (long) rep.length << 2; -/* three channels of CARD16 data */ -nbytesRead = (rep.size * 2 * 3); + /* three channels of CARD16 data */ + nbytesRead = (rep.size * 2 * 3); -crtc_gamma = XRRAllocGamma (rep.size); + crtc_gamma = XRRAllocGamma (rep.size); +} +else +{ + nbytes = 0; + nbytesRead = 0; + crtc_gamma = NULL; +} if (!crtc_gamma) { @@ -357,7 +378,7 @@ xRRGetCrtcTransformReq *req; intmajor_version, minor_version; XRRCrtcTransformAttributes *attr; -char *extra = NULL, *e; +char *extra = NULL, *end = NULL, *e; intp; *attributes = NULL; @@ -395,9 +416,17 @@