diff options
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-graphics/xorg-lib')
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch | 69 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch | 103 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb | 2 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch | 439 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb | 3 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch | 59 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb | 3 | ||||
-rw-r--r-- | import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb (renamed from import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb) | 4 |
8 files changed, 680 insertions, 2 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch new file mode 100644 index 000000000..f5b4d69d4 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch @@ -0,0 +1,69 @@ +From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Sun, 25 Sep 2016 21:25:25 +0200 +Subject: Validation of server responses in XGetImage() + +Check if enough bytes were received for specified image type and +geometry. Otherwise GetPixel and other functions could trigger an +out of boundary read later on. + +CVE: CVE-2016-7942 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> +Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +diff --git a/src/GetImage.c b/src/GetImage.c +index c461abc..ff32d58 100644 +--- a/src/GetImage.c ++++ b/src/GetImage.c +@@ -59,6 +59,7 @@ XImage *XGetImage ( + char *data; + unsigned long nbytes; + XImage *image; ++ int planes; + LockDisplay(dpy); + GetReq (GetImage, req); + /* +@@ -91,18 +92,28 @@ XImage *XGetImage ( + return (XImage *) NULL; + } + _XReadPad (dpy, data, nbytes); +- if (format == XYPixmap) +- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), +- Ones (plane_mask & +- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), +- format, 0, data, width, height, dpy->bitmap_pad, 0); +- else /* format == ZPixmap */ +- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), +- rep.depth, ZPixmap, 0, data, width, height, +- _XGetScanlinePad(dpy, (int) rep.depth), 0); ++ if (format == XYPixmap) { ++ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual), ++ Ones (plane_mask & ++ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))), ++ format, 0, data, width, height, dpy->bitmap_pad, 0); ++ planes = image->depth; ++ } else { /* format == ZPixmap */ ++ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual), ++ rep.depth, ZPixmap, 0, data, width, height, ++ _XGetScanlinePad(dpy, (int) rep.depth), 0); ++ planes = 1; ++ } + + if (!image) + Xfree(data); ++ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 || ++ INT_MAX / image->height <= image->bytes_per_line || ++ INT_MAX / planes <= image->height * image->bytes_per_line || ++ nbytes < planes * image->height * image->bytes_per_line) { ++ XDestroyImage(image); ++ image = NULL; ++ } + UnlockDisplay(dpy); + SyncHandle(); + return (image); +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch new file mode 100644 index 000000000..50024236d --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch @@ -0,0 +1,103 @@ +From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Sun, 25 Sep 2016 21:22:57 +0200 +Subject: The validation of server responses avoids out of boundary accesses. + +v2: FontNames.c return a NULL list whenever a single +length field from the server is incohent. + +CVE: CVE-2016-7943 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> +Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +diff --git a/src/FontNames.c b/src/FontNames.c +index 21dcafe..e55f338 100644 +--- a/src/FontNames.c ++++ b/src/FontNames.c +@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */ + + if (rep.nFonts) { + flist = Xmalloc (rep.nFonts * sizeof(char *)); +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc(rlen + 1); + /* +1 to leave room for last null-terminator */ +@@ -93,11 +93,22 @@ int *actualCount) /* RETURN */ + if (ch + length < chend) { + flist[i] = ch + 1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *(unsigned char *)ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; +- } else +- flist[i] = NULL; ++ if (ch <= chend) { ++ length = *(unsigned char *)ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; ++ } else { ++ Xfree(flist); ++ flist = NULL; ++ count = 0; ++ break; ++ } ++ } else { ++ Xfree(flist); ++ flist = NULL; ++ count = 0; ++ break; ++ } + } + } + *actualCount = count; +diff --git a/src/ListExt.c b/src/ListExt.c +index be6b989..0516e45 100644 +--- a/src/ListExt.c ++++ b/src/ListExt.c +@@ -55,7 +55,7 @@ char **XListExtensions( + + if (rep.nExtensions) { + list = Xmalloc (rep.nExtensions * sizeof (char *)); +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) { + rlen = rep.length << 2; + ch = Xmalloc (rlen + 1); + /* +1 to leave room for last null-terminator */ +@@ -80,9 +80,13 @@ char **XListExtensions( + if (ch + length < chend) { + list[i] = ch+1; /* skip over length */ + ch += length + 1; /* find next length ... */ +- length = *ch; +- *ch = '\0'; /* and replace with null-termination */ +- count++; ++ if (ch <= chend) { ++ length = *ch; ++ *ch = '\0'; /* and replace with null-termination */ ++ count++; ++ } else { ++ list[i] = NULL; ++ } + } else + list[i] = NULL; + } +diff --git a/src/ModMap.c b/src/ModMap.c +index a809aa2..49a5d08 100644 +--- a/src/ModMap.c ++++ b/src/ModMap.c +@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy) + GetEmptyReq(GetModifierMapping, req); + (void) _XReply (dpy, (xReply *)&rep, 0, xFalse); + +- if (rep.length < (INT_MAX >> 2)) { ++ if (rep.length < (INT_MAX >> 2) && ++ (rep.length >> 1) == rep.numKeyPerModifier) { + nbytes = (unsigned long)rep.length << 2; + res = Xmalloc(sizeof (XModifierKeymap)); + if (res) +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb index 8e531c745..23a77891e 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb @@ -5,6 +5,8 @@ BBCLASSEXTEND = "native nativesdk" SRC_URI += "file://disable_tests.patch \ file://libX11-Add-missing-NULL-check.patch \ + file://CVE-2016-7942.patch \ + file://CVE-2016-7943.patch \ " SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch new file mode 100644 index 000000000..a9b3dbc65 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch @@ -0,0 +1,439 @@ +From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Sun, 25 Sep 2016 22:21:40 +0200 +Subject: Avoid out of boundary accesses on illegal responses + +The responses of the connected X server have to be properly checked +to avoid out of boundary accesses that could otherwise be triggered +by a malicious server. + +CVE: CVE-2016-7947 +libXrandr: Insufficient validation of server responses result in Integer overflows + +CVE: CVE-2016-7948 +libXrandr: Insufficient validation of server responses result in various data mishandlings + +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> +Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +diff --git a/src/XrrConfig.c b/src/XrrConfig.c +index 2f0282b..e68c45a 100644 +--- a/src/XrrConfig.c ++++ b/src/XrrConfig.c +@@ -29,6 +29,7 @@ + #include <config.h> + #endif + ++#include <limits.h> + #include <stdio.h> + #include <X11/Xlib.h> + /* we need to be able to manipulate the Display structure on events */ +@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy, + rep.rate = 0; + rep.nrateEnts = 0; + } ++ if (rep.length < INT_MAX >> 2) { ++ nbytes = (long) rep.length << 2; + +- nbytes = (long) rep.length << 2; ++ nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + ++ ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */); + +- nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) + +- ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */); ++ /* ++ * first we must compute how much space to allocate for ++ * randr library's use; we'll allocate the structures in a single ++ * allocation, on cleanlyness grounds. ++ */ + +- /* +- * first we must compute how much space to allocate for +- * randr library's use; we'll allocate the structures in a single +- * allocation, on cleanlyness grounds. +- */ ++ rbytes = sizeof (XRRScreenConfiguration) + ++ (rep.nSizes * sizeof (XRRScreenSize) + ++ rep.nrateEnts * sizeof (int)); + +- rbytes = sizeof (XRRScreenConfiguration) + +- (rep.nSizes * sizeof (XRRScreenSize) + +- rep.nrateEnts * sizeof (int)); ++ scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); ++ } else { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ scp = NULL; ++ } + +- scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes); + if (scp == NULL) { + _XEatData (dpy, (unsigned long) nbytes); + return NULL; +diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c +index 5ae35c5..6665092 100644 +--- a/src/XrrCrtc.c ++++ b/src/XrrCrtc.c +@@ -24,6 +24,7 @@ + #include <config.h> + #endif + ++#include <limits.h> + #include <stdio.h> + #include <X11/Xlib.h> + /* we need to be able to manipulate the Display structure on events */ +@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc) + return NULL; + } + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) ++ { ++ nbytes = (long) rep.length << 2; + +- nbytesRead = (long) (rep.nOutput * 4 + +- rep.nPossibleOutput * 4); ++ nbytesRead = (long) (rep.nOutput * 4 + ++ rep.nPossibleOutput * 4); + +- /* +- * first we must compute how much space to allocate for +- * randr library's use; we'll allocate the structures in a single +- * allocation, on cleanlyness grounds. +- */ ++ /* ++ * first we must compute how much space to allocate for ++ * randr library's use; we'll allocate the structures in a single ++ * allocation, on cleanlyness grounds. ++ */ + +- rbytes = (sizeof (XRRCrtcInfo) + +- rep.nOutput * sizeof (RROutput) + +- rep.nPossibleOutput * sizeof (RROutput)); ++ rbytes = (sizeof (XRRCrtcInfo) + ++ rep.nOutput * sizeof (RROutput) + ++ rep.nPossibleOutput * sizeof (RROutput)); ++ ++ xci = (XRRCrtcInfo *) Xmalloc(rbytes); ++ } ++ else ++ { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ xci = NULL; ++ } + +- xci = (XRRCrtcInfo *) Xmalloc(rbytes); + if (xci == NULL) { + _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); +@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc) + if (!_XReply (dpy, (xReply *) &rep, 0, xFalse)) + goto out; + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) ++ { ++ nbytes = (long) rep.length << 2; + +- /* three channels of CARD16 data */ +- nbytesRead = (rep.size * 2 * 3); ++ /* three channels of CARD16 data */ ++ nbytesRead = (rep.size * 2 * 3); + +- crtc_gamma = XRRAllocGamma (rep.size); ++ crtc_gamma = XRRAllocGamma (rep.size); ++ } ++ else ++ { ++ nbytes = 0; ++ nbytesRead = 0; ++ crtc_gamma = NULL; ++ } + + if (!crtc_gamma) + { +@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy, + xRRGetCrtcTransformReq *req; + int major_version, minor_version; + XRRCrtcTransformAttributes *attr; +- char *extra = NULL, *e; ++ char *extra = NULL, *end = NULL, *e; + int p; + + *attributes = NULL; +@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy, + else + { + int extraBytes = rep.length * 4 - CrtcTransformExtra; +- extra = Xmalloc (extraBytes); ++ if (rep.length < INT_MAX / 4 && ++ rep.length * 4 >= CrtcTransformExtra) { ++ extra = Xmalloc (extraBytes); ++ end = extra + extraBytes; ++ } else ++ extra = NULL; + if (!extra) { +- _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); ++ if (rep.length > (CrtcTransformExtra >> 2)) ++ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2)); ++ else ++ _XEatDataWords (dpy, rep.length); + UnlockDisplay (dpy); + SyncHandle (); + return False; +@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy, + + e = extra; + ++ if (e + rep.pendingNbytesFilter > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter); + attr->pendingFilter[rep.pendingNbytesFilter] = '\0'; + e += (rep.pendingNbytesFilter + 3) & ~3; + for (p = 0; p < rep.pendingNparamsFilter; p++) { + INT32 f; ++ if (e + 4 > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (&f, e, 4); + e += 4; + attr->pendingParams[p] = (XFixed) f; + } + attr->pendingNparams = rep.pendingNparamsFilter; + ++ if (e + rep.currentNbytesFilter > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (attr->currentFilter, e, rep.currentNbytesFilter); + attr->currentFilter[rep.currentNbytesFilter] = '\0'; + e += (rep.currentNbytesFilter + 3) & ~3; + for (p = 0; p < rep.currentNparamsFilter; p++) { + INT32 f; ++ if (e + 4 > end) { ++ XFree (extra); ++ return False; ++ } + memcpy (&f, e, 4); + e += 4; + attr->currentParams[p] = (XFixed) f; +diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c +index a9eaa7b..adc5330 100644 +--- a/src/XrrMonitor.c ++++ b/src/XrrMonitor.c +@@ -24,6 +24,7 @@ + #include <config.h> + #endif + ++#include <limits.h> + #include <stdio.h> + #include <X11/Xlib.h> + /* we need to be able to manipulate the Display structure on events */ +@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) + return NULL; + } + ++ if (rep.length > INT_MAX >> 2 || ++ rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) || ++ rep.noutputs > INT_MAX / 4 || ++ rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) { ++ _XEatData (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } + nbytes = (long) rep.length << 2; + nmon = rep.nmonitors; + noutput = rep.noutputs; +@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors) + mon[m].outputs = output; + buf += SIZEOF (xRRMonitorInfo); + xoutput = (CARD32 *) buf; ++ if (xmon->noutput > rep.noutputs) { ++ Xfree(buf); ++ Xfree(mon); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } ++ rep.noutputs -= xmon->noutput; + for (o = 0; o < xmon->noutput; o++) + output[o] = xoutput[o]; + output += xmon->noutput; +diff --git a/src/XrrOutput.c b/src/XrrOutput.c +index 85f0b6e..30f3d40 100644 +--- a/src/XrrOutput.c ++++ b/src/XrrOutput.c +@@ -25,6 +25,7 @@ + #include <config.h> + #endif + ++#include <limits.h> + #include <stdio.h> + #include <X11/Xlib.h> + /* we need to be able to manipulate the Display structure on events */ +@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output) + return NULL; + } + ++ if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2)) ++ { ++ if (rep.length > (OutputInfoExtra >> 2)) ++ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2)); ++ else ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } + nbytes = ((long) (rep.length) << 2) - OutputInfoExtra; + + nbytesRead = (long) (rep.nCrtcs * 4 + +diff --git a/src/XrrProvider.c b/src/XrrProvider.c +index 9e620c7..d796cd0 100644 +--- a/src/XrrProvider.c ++++ b/src/XrrProvider.c +@@ -25,6 +25,7 @@ + #include <config.h> + #endif + ++#include <limits.h> + #include <stdio.h> + #include <X11/Xlib.h> + /* we need to be able to manipulate the Display structure on events */ +@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window) + return NULL; + } + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) { ++ nbytes = (long) rep.length << 2; + +- nbytesRead = (long) (rep.nProviders * 4); ++ nbytesRead = (long) (rep.nProviders * 4); + +- rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider)); +- xrpr = (XRRProviderResources *) Xmalloc(rbytes); ++ rbytes = (sizeof(XRRProviderResources) + rep.nProviders * ++ sizeof(RRProvider)); ++ xrpr = (XRRProviderResources *) Xmalloc(rbytes); ++ } else { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ xrpr = NULL; ++ } + + if (xrpr == NULL) { + _XEatDataWords (dpy, rep.length); +@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi + return NULL; + } + ++ if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2) ++ { ++ if (rep.length < ProviderInfoExtra >> 2) ++ _XEatDataWords (dpy, rep.length); ++ else ++ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2)); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } ++ + nbytes = ((long) rep.length << 2) - ProviderInfoExtra; + + nbytesRead = (long)(rep.nCrtcs * 4 + +diff --git a/src/XrrScreen.c b/src/XrrScreen.c +index b8ce7e5..1f7ffe6 100644 +--- a/src/XrrScreen.c ++++ b/src/XrrScreen.c +@@ -24,6 +24,7 @@ + #include <config.h> + #endif + ++#include <limits.h> + #include <stdio.h> + #include <X11/Xlib.h> + /* we need to be able to manipulate the Display structure on events */ +@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll) + xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version); + } + +- nbytes = (long) rep.length << 2; ++ if (rep.length < INT_MAX >> 2) { ++ nbytes = (long) rep.length << 2; + +- nbytesRead = (long) (rep.nCrtcs * 4 + +- rep.nOutputs * 4 + +- rep.nModes * SIZEOF (xRRModeInfo) + +- ((rep.nbytesNames + 3) & ~3)); ++ nbytesRead = (long) (rep.nCrtcs * 4 + ++ rep.nOutputs * 4 + ++ rep.nModes * SIZEOF (xRRModeInfo) + ++ ((rep.nbytesNames + 3) & ~3)); + +- /* +- * first we must compute how much space to allocate for +- * randr library's use; we'll allocate the structures in a single +- * allocation, on cleanlyness grounds. +- */ ++ /* ++ * first we must compute how much space to allocate for ++ * randr library's use; we'll allocate the structures in a single ++ * allocation, on cleanlyness grounds. ++ */ ++ ++ rbytes = (sizeof (XRRScreenResources) + ++ rep.nCrtcs * sizeof (RRCrtc) + ++ rep.nOutputs * sizeof (RROutput) + ++ rep.nModes * sizeof (XRRModeInfo) + ++ rep.nbytesNames + rep.nModes); /* '\0' terminate names */ + +- rbytes = (sizeof (XRRScreenResources) + +- rep.nCrtcs * sizeof (RRCrtc) + +- rep.nOutputs * sizeof (RROutput) + +- rep.nModes * sizeof (XRRModeInfo) + +- rep.nbytesNames + rep.nModes); /* '\0' terminate names */ ++ xrsr = (XRRScreenResources *) Xmalloc(rbytes); ++ wire_names = (char *) Xmalloc (rep.nbytesNames); ++ } else { ++ nbytes = 0; ++ nbytesRead = 0; ++ rbytes = 0; ++ xrsr = NULL; ++ wire_names = NULL; ++ } + +- xrsr = (XRRScreenResources *) Xmalloc(rbytes); +- wire_names = (char *) Xmalloc (rep.nbytesNames); + if (xrsr == NULL || wire_names == NULL) { + Xfree (xrsr); + Xfree (wire_names); +@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll) + wire_name = wire_names; + for (i = 0; i < rep.nModes; i++) { + xrsr->modes[i].name = names; ++ if (xrsr->modes[i].nameLength > rep.nbytesNames) { ++ Xfree (xrsr); ++ Xfree (wire_names); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return NULL; ++ } ++ rep.nbytesNames -= xrsr->modes[i].nameLength; + memcpy (names, wire_name, xrsr->modes[i].nameLength); + names[xrsr->modes[i].nameLength] = '\0'; + names += xrsr->modes[i].nameLength + 1; +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb index abbbae552..35c60b419 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb @@ -19,5 +19,8 @@ XORG_PN = "libXrandr" BBCLASSEXTEND = "native nativesdk" +SRC_URI += "file://CVE-2016-7947_CVE-2016-7948.patch \ + " + SRC_URI[md5sum] = "309762867e41c6fd813da880d8a1bc93" SRC_URI[sha256sum] = "6f864959b7fc35db11754b270d71106ef5b5cf363426aa58589cb8ac8266de58" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch new file mode 100644 index 000000000..73315b108 --- /dev/null +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch @@ -0,0 +1,59 @@ +From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001 +From: Tobias Stoeckmann <tobias@stoeckmann.org> +Date: Sun, 25 Sep 2016 21:43:09 +0200 +Subject: Validate lengths while parsing server data. + +Individual lengths inside received server data can overflow +the previously reserved memory. + +It is therefore important to validate every single length +field to not overflow the previously agreed sum of all invidual +length fields. + +v2: consume remaining bytes in the reply buffer on error. + +CVE: CVE-2016-7949 +Upstream-Status: Backport + +Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org> +Reviewed-by: Matthieu Herrb@laas.fr +Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> + +diff --git a/src/Xrender.c b/src/Xrender.c +index 3102eb2..71cf3e6 100644 +--- a/src/Xrender.c ++++ b/src/Xrender.c +@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy) + screen->fallback = _XRenderFindFormat (xri, xScreen->fallback); + screen->subpixel = SubPixelUnknown; + xDepth = (xPictDepth *) (xScreen + 1); ++ if (screen->ndepths > rep.numDepths) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numDepths -= screen->ndepths; + for (nd = 0; nd < screen->ndepths; nd++) + { + depth->depth = xDepth->depth; + depth->nvisuals = xDepth->nPictVisuals; + depth->visuals = visual; + xVisual = (xPictVisual *) (xDepth + 1); ++ if (depth->nvisuals > rep.numVisuals) { ++ Xfree (xri); ++ Xfree (xData); ++ _XEatDataWords (dpy, rep.length); ++ UnlockDisplay (dpy); ++ SyncHandle (); ++ return 0; ++ } ++ rep.numVisuals -= depth->nvisuals; + for (nv = 0; nv < depth->nvisuals; nv++) + { + visual->visual = _XRenderFindVisual (dpy, xVisual->visual); +-- +cgit v0.10.2 + diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb index 44cb2e0eb..eac367906 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb @@ -19,5 +19,8 @@ XORG_PN = "libXrender" BBCLASSEXTEND = "native nativesdk" +SRC_URI += "file://CVE-2016-7949.patch \ + " + SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622" SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a" diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb index 1b0bcf391..31ea4392d 100644 --- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb +++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb @@ -16,5 +16,5 @@ PE = "1" XORG_PN = "libXtst" -SRC_URI[md5sum] = "25c6b366ac3dc7a12c5d79816ce96a59" -SRC_URI[sha256sum] = "ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9" +SRC_URI[md5sum] = "ef8c2c1d16a00bd95b9fdcef63b8a2ca" +SRC_URI[sha256sum] = "4655498a1b8e844e3d6f21f3b2c4e2b571effb5fd83199d428a6ba7ea4bf5204" |