summaryrefslogtreecommitdiffstats
path: root/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib
diff options
context:
space:
mode:
Diffstat (limited to 'import-layers/yocto-poky/meta/recipes-graphics/xorg-lib')
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch69
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch103
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb2
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch439
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb3
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch59
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb3
-rw-r--r--import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb (renamed from import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb)4
8 files changed, 680 insertions, 2 deletions
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
new file mode 100644
index 000000000..f5b4d69d4
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7942.patch
@@ -0,0 +1,69 @@
+From 8ea762f94f4c942d898fdeb590a1630c83235c17 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:25:25 +0200
+Subject: Validation of server responses in XGetImage()
+
+Check if enough bytes were received for specified image type and
+geometry. Otherwise GetPixel and other functions could trigger an
+out of boundary read later on.
+
+CVE: CVE-2016-7942
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/GetImage.c b/src/GetImage.c
+index c461abc..ff32d58 100644
+--- a/src/GetImage.c
++++ b/src/GetImage.c
+@@ -59,6 +59,7 @@ XImage *XGetImage (
+ char *data;
+ unsigned long nbytes;
+ XImage *image;
++ int planes;
+ LockDisplay(dpy);
+ GetReq (GetImage, req);
+ /*
+@@ -91,18 +92,28 @@ XImage *XGetImage (
+ return (XImage *) NULL;
+ }
+ _XReadPad (dpy, data, nbytes);
+- if (format == XYPixmap)
+- image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
+- Ones (plane_mask &
+- (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
+- format, 0, data, width, height, dpy->bitmap_pad, 0);
+- else /* format == ZPixmap */
+- image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
+- rep.depth, ZPixmap, 0, data, width, height,
+- _XGetScanlinePad(dpy, (int) rep.depth), 0);
++ if (format == XYPixmap) {
++ image = XCreateImage(dpy, _XVIDtoVisual(dpy, rep.visual),
++ Ones (plane_mask &
++ (((unsigned long)0xFFFFFFFF) >> (32 - rep.depth))),
++ format, 0, data, width, height, dpy->bitmap_pad, 0);
++ planes = image->depth;
++ } else { /* format == ZPixmap */
++ image = XCreateImage (dpy, _XVIDtoVisual(dpy, rep.visual),
++ rep.depth, ZPixmap, 0, data, width, height,
++ _XGetScanlinePad(dpy, (int) rep.depth), 0);
++ planes = 1;
++ }
+
+ if (!image)
+ Xfree(data);
++ if (planes < 1 || image->height < 1 || image->bytes_per_line < 1 ||
++ INT_MAX / image->height <= image->bytes_per_line ||
++ INT_MAX / planes <= image->height * image->bytes_per_line ||
++ nbytes < planes * image->height * image->bytes_per_line) {
++ XDestroyImage(image);
++ image = NULL;
++ }
+ UnlockDisplay(dpy);
+ SyncHandle();
+ return (image);
+--
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
new file mode 100644
index 000000000..50024236d
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11/CVE-2016-7943.patch
@@ -0,0 +1,103 @@
+From 8c29f1607a31dac0911e45a0dd3d74173822b3c9 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:22:57 +0200
+Subject: The validation of server responses avoids out of boundary accesses.
+
+v2: FontNames.c return a NULL list whenever a single
+length field from the server is incohent.
+
+CVE: CVE-2016-7943
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/FontNames.c b/src/FontNames.c
+index 21dcafe..e55f338 100644
+--- a/src/FontNames.c
++++ b/src/FontNames.c
+@@ -66,7 +66,7 @@ int *actualCount) /* RETURN */
+
+ if (rep.nFonts) {
+ flist = Xmalloc (rep.nFonts * sizeof(char *));
+- if (rep.length < (INT_MAX >> 2)) {
++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+ rlen = rep.length << 2;
+ ch = Xmalloc(rlen + 1);
+ /* +1 to leave room for last null-terminator */
+@@ -93,11 +93,22 @@ int *actualCount) /* RETURN */
+ if (ch + length < chend) {
+ flist[i] = ch + 1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+- length = *(unsigned char *)ch;
+- *ch = '\0'; /* and replace with null-termination */
+- count++;
+- } else
+- flist[i] = NULL;
++ if (ch <= chend) {
++ length = *(unsigned char *)ch;
++ *ch = '\0'; /* and replace with null-termination */
++ count++;
++ } else {
++ Xfree(flist);
++ flist = NULL;
++ count = 0;
++ break;
++ }
++ } else {
++ Xfree(flist);
++ flist = NULL;
++ count = 0;
++ break;
++ }
+ }
+ }
+ *actualCount = count;
+diff --git a/src/ListExt.c b/src/ListExt.c
+index be6b989..0516e45 100644
+--- a/src/ListExt.c
++++ b/src/ListExt.c
+@@ -55,7 +55,7 @@ char **XListExtensions(
+
+ if (rep.nExtensions) {
+ list = Xmalloc (rep.nExtensions * sizeof (char *));
+- if (rep.length < (INT_MAX >> 2)) {
++ if (rep.length > 0 && rep.length < (INT_MAX >> 2)) {
+ rlen = rep.length << 2;
+ ch = Xmalloc (rlen + 1);
+ /* +1 to leave room for last null-terminator */
+@@ -80,9 +80,13 @@ char **XListExtensions(
+ if (ch + length < chend) {
+ list[i] = ch+1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+- length = *ch;
+- *ch = '\0'; /* and replace with null-termination */
+- count++;
++ if (ch <= chend) {
++ length = *ch;
++ *ch = '\0'; /* and replace with null-termination */
++ count++;
++ } else {
++ list[i] = NULL;
++ }
+ } else
+ list[i] = NULL;
+ }
+diff --git a/src/ModMap.c b/src/ModMap.c
+index a809aa2..49a5d08 100644
+--- a/src/ModMap.c
++++ b/src/ModMap.c
+@@ -42,7 +42,8 @@ XGetModifierMapping(register Display *dpy)
+ GetEmptyReq(GetModifierMapping, req);
+ (void) _XReply (dpy, (xReply *)&rep, 0, xFalse);
+
+- if (rep.length < (INT_MAX >> 2)) {
++ if (rep.length < (INT_MAX >> 2) &&
++ (rep.length >> 1) == rep.numKeyPerModifier) {
+ nbytes = (unsigned long)rep.length << 2;
+ res = Xmalloc(sizeof (XModifierKeymap));
+ if (res)
+--
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
index 8e531c745..23a77891e 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libx11_1.6.3.bb
@@ -5,6 +5,8 @@ BBCLASSEXTEND = "native nativesdk"
SRC_URI += "file://disable_tests.patch \
file://libX11-Add-missing-NULL-check.patch \
+ file://CVE-2016-7942.patch \
+ file://CVE-2016-7943.patch \
"
SRC_URI[md5sum] = "2e36b73f8a42143142dda8129f02e4e0"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch
new file mode 100644
index 000000000..a9b3dbc65
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr/CVE-2016-7947_CVE-2016-7948.patch
@@ -0,0 +1,439 @@
+From a0df3e1c7728205e5c7650b2e6dce684139254a6 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 22:21:40 +0200
+Subject: Avoid out of boundary accesses on illegal responses
+
+The responses of the connected X server have to be properly checked
+to avoid out of boundary accesses that could otherwise be triggered
+by a malicious server.
+
+CVE: CVE-2016-7947
+libXrandr: Insufficient validation of server responses result in Integer overflows
+
+CVE: CVE-2016-7948
+libXrandr: Insufficient validation of server responses result in various data mishandlings
+
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/XrrConfig.c b/src/XrrConfig.c
+index 2f0282b..e68c45a 100644
+--- a/src/XrrConfig.c
++++ b/src/XrrConfig.c
+@@ -29,6 +29,7 @@
+ #include <config.h>
+ #endif
+
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -272,23 +273,30 @@ static XRRScreenConfiguration *_XRRGetScreenInfo (Display *dpy,
+ rep.rate = 0;
+ rep.nrateEnts = 0;
+ }
++ if (rep.length < INT_MAX >> 2) {
++ nbytes = (long) rep.length << 2;
+
+- nbytes = (long) rep.length << 2;
++ nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
++ ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF(CARD16) */);
+
+- nbytesRead = (long) (rep.nSizes * SIZEOF (xScreenSizes) +
+- ((rep.nrateEnts + 1)& ~1) * 2 /* SIZEOF (CARD16) */);
++ /*
++ * first we must compute how much space to allocate for
++ * randr library's use; we'll allocate the structures in a single
++ * allocation, on cleanlyness grounds.
++ */
+
+- /*
+- * first we must compute how much space to allocate for
+- * randr library's use; we'll allocate the structures in a single
+- * allocation, on cleanlyness grounds.
+- */
++ rbytes = sizeof (XRRScreenConfiguration) +
++ (rep.nSizes * sizeof (XRRScreenSize) +
++ rep.nrateEnts * sizeof (int));
+
+- rbytes = sizeof (XRRScreenConfiguration) +
+- (rep.nSizes * sizeof (XRRScreenSize) +
+- rep.nrateEnts * sizeof (int));
++ scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
++ } else {
++ nbytes = 0;
++ nbytesRead = 0;
++ rbytes = 0;
++ scp = NULL;
++ }
+
+- scp = (struct _XRRScreenConfiguration *) Xmalloc(rbytes);
+ if (scp == NULL) {
+ _XEatData (dpy, (unsigned long) nbytes);
+ return NULL;
+diff --git a/src/XrrCrtc.c b/src/XrrCrtc.c
+index 5ae35c5..6665092 100644
+--- a/src/XrrCrtc.c
++++ b/src/XrrCrtc.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -57,22 +58,33 @@ XRRGetCrtcInfo (Display *dpy, XRRScreenResources *resources, RRCrtc crtc)
+ return NULL;
+ }
+
+- nbytes = (long) rep.length << 2;
++ if (rep.length < INT_MAX >> 2)
++ {
++ nbytes = (long) rep.length << 2;
+
+- nbytesRead = (long) (rep.nOutput * 4 +
+- rep.nPossibleOutput * 4);
++ nbytesRead = (long) (rep.nOutput * 4 +
++ rep.nPossibleOutput * 4);
+
+- /*
+- * first we must compute how much space to allocate for
+- * randr library's use; we'll allocate the structures in a single
+- * allocation, on cleanlyness grounds.
+- */
++ /*
++ * first we must compute how much space to allocate for
++ * randr library's use; we'll allocate the structures in a single
++ * allocation, on cleanlyness grounds.
++ */
+
+- rbytes = (sizeof (XRRCrtcInfo) +
+- rep.nOutput * sizeof (RROutput) +
+- rep.nPossibleOutput * sizeof (RROutput));
++ rbytes = (sizeof (XRRCrtcInfo) +
++ rep.nOutput * sizeof (RROutput) +
++ rep.nPossibleOutput * sizeof (RROutput));
++
++ xci = (XRRCrtcInfo *) Xmalloc(rbytes);
++ }
++ else
++ {
++ nbytes = 0;
++ nbytesRead = 0;
++ rbytes = 0;
++ xci = NULL;
++ }
+
+- xci = (XRRCrtcInfo *) Xmalloc(rbytes);
+ if (xci == NULL) {
+ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+@@ -194,12 +206,21 @@ XRRGetCrtcGamma (Display *dpy, RRCrtc crtc)
+ if (!_XReply (dpy, (xReply *) &rep, 0, xFalse))
+ goto out;
+
+- nbytes = (long) rep.length << 2;
++ if (rep.length < INT_MAX >> 2)
++ {
++ nbytes = (long) rep.length << 2;
+
+- /* three channels of CARD16 data */
+- nbytesRead = (rep.size * 2 * 3);
++ /* three channels of CARD16 data */
++ nbytesRead = (rep.size * 2 * 3);
+
+- crtc_gamma = XRRAllocGamma (rep.size);
++ crtc_gamma = XRRAllocGamma (rep.size);
++ }
++ else
++ {
++ nbytes = 0;
++ nbytesRead = 0;
++ crtc_gamma = NULL;
++ }
+
+ if (!crtc_gamma)
+ {
+@@ -357,7 +378,7 @@ XRRGetCrtcTransform (Display *dpy,
+ xRRGetCrtcTransformReq *req;
+ int major_version, minor_version;
+ XRRCrtcTransformAttributes *attr;
+- char *extra = NULL, *e;
++ char *extra = NULL, *end = NULL, *e;
+ int p;
+
+ *attributes = NULL;
+@@ -395,9 +416,17 @@ XRRGetCrtcTransform (Display *dpy,
+ else
+ {
+ int extraBytes = rep.length * 4 - CrtcTransformExtra;
+- extra = Xmalloc (extraBytes);
++ if (rep.length < INT_MAX / 4 &&
++ rep.length * 4 >= CrtcTransformExtra) {
++ extra = Xmalloc (extraBytes);
++ end = extra + extraBytes;
++ } else
++ extra = NULL;
+ if (!extra) {
+- _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
++ if (rep.length > (CrtcTransformExtra >> 2))
++ _XEatDataWords (dpy, rep.length - (CrtcTransformExtra >> 2));
++ else
++ _XEatDataWords (dpy, rep.length);
+ UnlockDisplay (dpy);
+ SyncHandle ();
+ return False;
+@@ -429,22 +458,38 @@ XRRGetCrtcTransform (Display *dpy,
+
+ e = extra;
+
++ if (e + rep.pendingNbytesFilter > end) {
++ XFree (extra);
++ return False;
++ }
+ memcpy (attr->pendingFilter, e, rep.pendingNbytesFilter);
+ attr->pendingFilter[rep.pendingNbytesFilter] = '\0';
+ e += (rep.pendingNbytesFilter + 3) & ~3;
+ for (p = 0; p < rep.pendingNparamsFilter; p++) {
+ INT32 f;
++ if (e + 4 > end) {
++ XFree (extra);
++ return False;
++ }
+ memcpy (&f, e, 4);
+ e += 4;
+ attr->pendingParams[p] = (XFixed) f;
+ }
+ attr->pendingNparams = rep.pendingNparamsFilter;
+
++ if (e + rep.currentNbytesFilter > end) {
++ XFree (extra);
++ return False;
++ }
+ memcpy (attr->currentFilter, e, rep.currentNbytesFilter);
+ attr->currentFilter[rep.currentNbytesFilter] = '\0';
+ e += (rep.currentNbytesFilter + 3) & ~3;
+ for (p = 0; p < rep.currentNparamsFilter; p++) {
+ INT32 f;
++ if (e + 4 > end) {
++ XFree (extra);
++ return False;
++ }
+ memcpy (&f, e, 4);
+ e += 4;
+ attr->currentParams[p] = (XFixed) f;
+diff --git a/src/XrrMonitor.c b/src/XrrMonitor.c
+index a9eaa7b..adc5330 100644
+--- a/src/XrrMonitor.c
++++ b/src/XrrMonitor.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -65,6 +66,15 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
+ return NULL;
+ }
+
++ if (rep.length > INT_MAX >> 2 ||
++ rep.nmonitors > INT_MAX / SIZEOF(xRRMonitorInfo) ||
++ rep.noutputs > INT_MAX / 4 ||
++ rep.nmonitors * SIZEOF(xRRMonitorInfo) > INT_MAX - rep.noutputs * 4) {
++ _XEatData (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return NULL;
++ }
+ nbytes = (long) rep.length << 2;
+ nmon = rep.nmonitors;
+ noutput = rep.noutputs;
+@@ -111,6 +121,14 @@ XRRGetMonitors(Display *dpy, Window window, Bool get_active, int *nmonitors)
+ mon[m].outputs = output;
+ buf += SIZEOF (xRRMonitorInfo);
+ xoutput = (CARD32 *) buf;
++ if (xmon->noutput > rep.noutputs) {
++ Xfree(buf);
++ Xfree(mon);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return NULL;
++ }
++ rep.noutputs -= xmon->noutput;
+ for (o = 0; o < xmon->noutput; o++)
+ output[o] = xoutput[o];
+ output += xmon->noutput;
+diff --git a/src/XrrOutput.c b/src/XrrOutput.c
+index 85f0b6e..30f3d40 100644
+--- a/src/XrrOutput.c
++++ b/src/XrrOutput.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -60,6 +61,16 @@ XRRGetOutputInfo (Display *dpy, XRRScreenResources *resources, RROutput output)
+ return NULL;
+ }
+
++ if (rep.length > INT_MAX >> 2 || rep.length < (OutputInfoExtra >> 2))
++ {
++ if (rep.length > (OutputInfoExtra >> 2))
++ _XEatDataWords (dpy, rep.length - (OutputInfoExtra >> 2));
++ else
++ _XEatDataWords (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return NULL;
++ }
+ nbytes = ((long) (rep.length) << 2) - OutputInfoExtra;
+
+ nbytesRead = (long) (rep.nCrtcs * 4 +
+diff --git a/src/XrrProvider.c b/src/XrrProvider.c
+index 9e620c7..d796cd0 100644
+--- a/src/XrrProvider.c
++++ b/src/XrrProvider.c
+@@ -25,6 +25,7 @@
+ #include <config.h>
+ #endif
+
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -59,12 +60,20 @@ XRRGetProviderResources(Display *dpy, Window window)
+ return NULL;
+ }
+
+- nbytes = (long) rep.length << 2;
++ if (rep.length < INT_MAX >> 2) {
++ nbytes = (long) rep.length << 2;
+
+- nbytesRead = (long) (rep.nProviders * 4);
++ nbytesRead = (long) (rep.nProviders * 4);
+
+- rbytes = (sizeof(XRRProviderResources) + rep.nProviders * sizeof(RRProvider));
+- xrpr = (XRRProviderResources *) Xmalloc(rbytes);
++ rbytes = (sizeof(XRRProviderResources) + rep.nProviders *
++ sizeof(RRProvider));
++ xrpr = (XRRProviderResources *) Xmalloc(rbytes);
++ } else {
++ nbytes = 0;
++ nbytesRead = 0;
++ rbytes = 0;
++ xrpr = NULL;
++ }
+
+ if (xrpr == NULL) {
+ _XEatDataWords (dpy, rep.length);
+@@ -121,6 +130,17 @@ XRRGetProviderInfo(Display *dpy, XRRScreenResources *resources, RRProvider provi
+ return NULL;
+ }
+
++ if (rep.length > INT_MAX >> 2 || rep.length < ProviderInfoExtra >> 2)
++ {
++ if (rep.length < ProviderInfoExtra >> 2)
++ _XEatDataWords (dpy, rep.length);
++ else
++ _XEatDataWords (dpy, rep.length - (ProviderInfoExtra >> 2));
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return NULL;
++ }
++
+ nbytes = ((long) rep.length << 2) - ProviderInfoExtra;
+
+ nbytesRead = (long)(rep.nCrtcs * 4 +
+diff --git a/src/XrrScreen.c b/src/XrrScreen.c
+index b8ce7e5..1f7ffe6 100644
+--- a/src/XrrScreen.c
++++ b/src/XrrScreen.c
+@@ -24,6 +24,7 @@
+ #include <config.h>
+ #endif
+
++#include <limits.h>
+ #include <stdio.h>
+ #include <X11/Xlib.h>
+ /* we need to be able to manipulate the Display structure on events */
+@@ -105,27 +106,36 @@ doGetScreenResources (Display *dpy, Window window, int poll)
+ xrri->has_rates = _XRRHasRates (xrri->minor_version, xrri->major_version);
+ }
+
+- nbytes = (long) rep.length << 2;
++ if (rep.length < INT_MAX >> 2) {
++ nbytes = (long) rep.length << 2;
+
+- nbytesRead = (long) (rep.nCrtcs * 4 +
+- rep.nOutputs * 4 +
+- rep.nModes * SIZEOF (xRRModeInfo) +
+- ((rep.nbytesNames + 3) & ~3));
++ nbytesRead = (long) (rep.nCrtcs * 4 +
++ rep.nOutputs * 4 +
++ rep.nModes * SIZEOF (xRRModeInfo) +
++ ((rep.nbytesNames + 3) & ~3));
+
+- /*
+- * first we must compute how much space to allocate for
+- * randr library's use; we'll allocate the structures in a single
+- * allocation, on cleanlyness grounds.
+- */
++ /*
++ * first we must compute how much space to allocate for
++ * randr library's use; we'll allocate the structures in a single
++ * allocation, on cleanlyness grounds.
++ */
++
++ rbytes = (sizeof (XRRScreenResources) +
++ rep.nCrtcs * sizeof (RRCrtc) +
++ rep.nOutputs * sizeof (RROutput) +
++ rep.nModes * sizeof (XRRModeInfo) +
++ rep.nbytesNames + rep.nModes); /* '\0' terminate names */
+
+- rbytes = (sizeof (XRRScreenResources) +
+- rep.nCrtcs * sizeof (RRCrtc) +
+- rep.nOutputs * sizeof (RROutput) +
+- rep.nModes * sizeof (XRRModeInfo) +
+- rep.nbytesNames + rep.nModes); /* '\0' terminate names */
++ xrsr = (XRRScreenResources *) Xmalloc(rbytes);
++ wire_names = (char *) Xmalloc (rep.nbytesNames);
++ } else {
++ nbytes = 0;
++ nbytesRead = 0;
++ rbytes = 0;
++ xrsr = NULL;
++ wire_names = NULL;
++ }
+
+- xrsr = (XRRScreenResources *) Xmalloc(rbytes);
+- wire_names = (char *) Xmalloc (rep.nbytesNames);
+ if (xrsr == NULL || wire_names == NULL) {
+ Xfree (xrsr);
+ Xfree (wire_names);
+@@ -174,6 +184,14 @@ doGetScreenResources (Display *dpy, Window window, int poll)
+ wire_name = wire_names;
+ for (i = 0; i < rep.nModes; i++) {
+ xrsr->modes[i].name = names;
++ if (xrsr->modes[i].nameLength > rep.nbytesNames) {
++ Xfree (xrsr);
++ Xfree (wire_names);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return NULL;
++ }
++ rep.nbytesNames -= xrsr->modes[i].nameLength;
+ memcpy (names, wire_name, xrsr->modes[i].nameLength);
+ names[xrsr->modes[i].nameLength] = '\0';
+ names += xrsr->modes[i].nameLength + 1;
+--
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb
index abbbae552..35c60b419 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrandr_1.5.0.bb
@@ -19,5 +19,8 @@ XORG_PN = "libXrandr"
BBCLASSEXTEND = "native nativesdk"
+SRC_URI += "file://CVE-2016-7947_CVE-2016-7948.patch \
+ "
+
SRC_URI[md5sum] = "309762867e41c6fd813da880d8a1bc93"
SRC_URI[sha256sum] = "6f864959b7fc35db11754b270d71106ef5b5cf363426aa58589cb8ac8266de58"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
new file mode 100644
index 000000000..73315b108
--- /dev/null
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender/CVE-2016-7949.patch
@@ -0,0 +1,59 @@
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+CVE: CVE-2016-7949
+Upstream-Status: Backport
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb@laas.fr
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+ screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+ screen->subpixel = SubPixelUnknown;
+ xDepth = (xPictDepth *) (xScreen + 1);
++ if (screen->ndepths > rep.numDepths) {
++ Xfree (xri);
++ Xfree (xData);
++ _XEatDataWords (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return 0;
++ }
++ rep.numDepths -= screen->ndepths;
+ for (nd = 0; nd < screen->ndepths; nd++)
+ {
+ depth->depth = xDepth->depth;
+ depth->nvisuals = xDepth->nPictVisuals;
+ depth->visuals = visual;
+ xVisual = (xPictVisual *) (xDepth + 1);
++ if (depth->nvisuals > rep.numVisuals) {
++ Xfree (xri);
++ Xfree (xData);
++ _XEatDataWords (dpy, rep.length);
++ UnlockDisplay (dpy);
++ SyncHandle ();
++ return 0;
++ }
++ rep.numVisuals -= depth->nvisuals;
+ for (nv = 0; nv < depth->nvisuals; nv++)
+ {
+ visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+--
+cgit v0.10.2
+
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
index 44cb2e0eb..eac367906 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxrender_0.9.9.bb
@@ -19,5 +19,8 @@ XORG_PN = "libXrender"
BBCLASSEXTEND = "native nativesdk"
+SRC_URI += "file://CVE-2016-7949.patch \
+ "
+
SRC_URI[md5sum] = "5db92962b124ca3a8147daae4adbd622"
SRC_URI[sha256sum] = "fc2fe57980a14092426dffcd1f2d9de0987b9d40adea663bd70d6342c0e9be1a"
diff --git a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
index 1b0bcf391..31ea4392d 100644
--- a/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.2.bb
+++ b/import-layers/yocto-poky/meta/recipes-graphics/xorg-lib/libxtst_1.2.3.bb
@@ -16,5 +16,5 @@ PE = "1"
XORG_PN = "libXtst"
-SRC_URI[md5sum] = "25c6b366ac3dc7a12c5d79816ce96a59"
-SRC_URI[sha256sum] = "ef0a7ffd577e5f1a25b1663b375679529663a1880151beaa73e9186c8309f6d9"
+SRC_URI[md5sum] = "ef8c2c1d16a00bd95b9fdcef63b8a2ca"
+SRC_URI[sha256sum] = "4655498a1b8e844e3d6f21f3b2c4e2b571effb5fd83199d428a6ba7ea4bf5204"
OpenPOWER on IntegriCloud