diff options
Diffstat (limited to 'extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch')
| -rw-r--r-- | extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch | 76 |
1 files changed, 0 insertions, 76 deletions
diff --git a/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch b/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch deleted file mode 100644 index b550bcedd..000000000 --- a/extra/xorg-server/0001-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Mon, 16 Sep 2013 21:47:16 -0700 -Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() - [CVE-2013-4396] - -Save a pointer to the passed in closure structure before copying it -and overwriting the *c pointer to point to our copy instead of the -original. If we hit an error, once we free(c), reset c to point to -the original structure before jumping to the cleanup code that -references *c. - -Since one of the errors being checked for is whether the server was -able to malloc(c->nChars * itemSize), the client can potentially pass -a number of characters chosen to cause the malloc to fail and the -error path to be taken, resulting in the read from freed memory. - -Since the memory is accessed almost immediately afterwards, and the -X server is mostly single threaded, the odds of the free memory having -invalid contents are low with most malloc implementations when not using -memory debugging features, but some allocators will definitely overwrite -the memory there, leading to a likely crash. - -Reported-by: Pedro Ribeiro <pedrib@gmail.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> ---- - dix/dixfonts.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/dix/dixfonts.c b/dix/dixfonts.c -index feb765d..2e34d37 100644 ---- a/dix/dixfonts.c -+++ b/dix/dixfonts.c -@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - GC *pGC; - unsigned char *data; - ITclosurePtr new_closure; -+ ITclosurePtr old_closure; - - /* We're putting the client to sleep. We need to - save some state. Similar problem to that handled -@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) - err = BadAlloc; - goto bail; - } -+ old_closure = c; - *new_closure = *c; - c = new_closure; - - data = malloc(c->nChars * itemSize); - if (!data) { - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - if (!pGC) { - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } -@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) - FreeScratchGC(pGC); - free(c->data); - free(c); -+ c = old_closure; - err = BadAlloc; - goto bail; - } --- -1.7.9.2 - |