chithanh 15/04/28 15:38:08 Added: xorg-server-1.12-cve-2015-3418.patch Log: Add fix for security bug #548002. (Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x2324E7B566DF2611!)
Revision Changes Path 1.1 x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch?rev=1.1&view=markup plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch?rev=1.1&content-type=text/plain Index: xorg-server-1.12-cve-2015-3418.patch =================================================================== >From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001 From: Keith Packard <[email protected]> Date: Sat, 3 Jan 2015 08:46:45 -0800 Subject: dix: Allow zero-height PutImage requests The length checking code validates PutImage height and byte width by making sure that byte-width >= INT32_MAX / height. If height is zero, this generates a divide by zero exception. Allow zero height requests explicitly, bypassing the INT32_MAX check. Signed-off-by: Keith Packard <[email protected]> Reviewed-by: Alan Coopersmith <[email protected]> diff --git a/dix/dispatch.c b/dix/dispatch.c index 55b978d..9044ac7 100644 --- a/dix/dispatch.c +++ b/dix/dispatch.c @@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client) tmpImage = (char *) &stuff[1]; lengthProto = length; - if (lengthProto >= (INT32_MAX / stuff->height)) + if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) return BadLength; if ((bytes_to_int32(lengthProto * stuff->height) + -- cgit v0.10.2
