Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian@packages.debian.org
Usertags: pu
One more.
Cheers,
Julien
diff -u libxrender-0.9.8/debian/changelog libxrender-0.9.8/debian/changelog
--- libxrender-0.9.8/debian/changelog
+++ libxrender-0.9.8/debian/changelog
@@ -1,3 +1,11 @@
+libxrender (1:0.9.8-1+deb8u1) jessie; urgency=medium
+
+ * Insufficient validation of data from the X server
+can cause out of boundary memory writes. Addresses CVE-2016-7949 and
+CVE-2016-7950.
+
+ -- Julien Cristau Sat, 28 Jan 2017 15:11:56 +0100
+
libxrender (1:0.9.8-1) sid; urgency=low
* New upstream release.
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Filter.c
+++ libxrender-0.9.8/src/Filter.c
@@ -38,7 +38,7 @@
char *name;
char len;
inti;
-unsigned long nbytes, nbytesAlias, nbytesName;
+unsigned long nbytes, nbytesAlias, nbytesName, reply_left;
if (!RenderHasExtension (info))
return NULL;
@@ -114,6 +114,7 @@
* Read the filter aliases
*/
_XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
+reply_left = 8 + rep.length - 2 * rep.numAliases;;
/*
* Read the filter names
@@ -122,9 +123,19 @@
{
int l;
_XRead (dpy, , 1);
+ reply_left--;
l = len & 0xff;
+ if ((unsigned long)l + 1 > nbytesName) {
+_XEatDataWords(dpy, reply_left);
+ Xfree(filters);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return NULL;
+ }
+ nbytesName -= l + 1;
filters->filter[i] = name;
_XRead (dpy, name, l);
+reply_left -= l;
name[l] = '\0';
name += l + 1;
}
only in patch2:
unchanged:
--- libxrender-0.9.8.orig/src/Xrender.c
+++ libxrender-0.9.8/src/Xrender.c
@@ -533,12 +533,30 @@
screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
screen->subpixel = SubPixelUnknown;
xDepth = (xPictDepth *) (xScreen + 1);
+ if (screen->ndepths > rep.numDepths) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numDepths -= screen->ndepths;
for (nd = 0; nd < screen->ndepths; nd++)
{
depth->depth = xDepth->depth;
depth->nvisuals = xDepth->nPictVisuals;
depth->visuals = visual;
xVisual = (xPictVisual *) (xDepth + 1);
+ if (depth->nvisuals > rep.numVisuals) {
+ Xfree (xri);
+ Xfree (xData);
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return 0;
+ }
+ rep.numVisuals -= depth->nvisuals;
for (nv = 0; nv < depth->nvisuals; nv++)
{
visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
signature.asc
Description: PGP signature