3 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7949
5 Patch copied from upstream source repository:
7 https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=9362c7ddd1af3b168953d0737877bc52d79c94f4
9 From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
10 From: Tobias Stoeckmann <tobias@stoeckmann.org>
11 Date: Sun, 25 Sep 2016 21:43:09 +0200
12 Subject: [PATCH] Validate lengths while parsing server data.
14 Individual lengths inside received server data can overflow
15 the previously reserved memory.
17 It is therefore important to validate every single length
18 field to not overflow the previously agreed sum of all invidual
21 v2: consume remaining bytes in the reply buffer on error.
23 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
24 Reviewed-by: Matthieu Herrb@laas.fr
26 src/Xrender.c | 18 ++++++++++++++++++
27 1 file changed, 18 insertions(+)
29 diff --git a/src/Xrender.c b/src/Xrender.c
30 index 3102eb2..71cf3e6 100644
33 @@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
34 screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
35 screen->subpixel = SubPixelUnknown;
36 xDepth = (xPictDepth *) (xScreen + 1);
37 + if (screen->ndepths > rep.numDepths) {
40 + _XEatDataWords (dpy, rep.length);
41 + UnlockDisplay (dpy);
45 + rep.numDepths -= screen->ndepths;
46 for (nd = 0; nd < screen->ndepths; nd++)
48 depth->depth = xDepth->depth;
49 depth->nvisuals = xDepth->nPictVisuals;
50 depth->visuals = visual;
51 xVisual = (xPictVisual *) (xDepth + 1);
52 + if (depth->nvisuals > rep.numVisuals) {
55 + _XEatDataWords (dpy, rep.length);
56 + UnlockDisplay (dpy);
60 + rep.numVisuals -= depth->nvisuals;
61 for (nv = 0; nv < depth->nvisuals; nv++)
63 visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
HCoop / jackhill / guix / guix.git / blob