# HG changeset patch # User Alan Coopersmith # Date 1430269894 25200 # Node ID 68483775704b82cf46f5d1be9a0a152908e3aef6 # Parent 4c8eb988692809febc344a6c4a9a179575c83957 20970289 problem in X11/XORG-SERVER diff -r 4c8eb9886928 -r 68483775704b open-src/xserver/xorg/CVE-2015-3418.patch --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/open-src/xserver/xorg/CVE-2015-3418.patch Tue Apr 28 18:11:34 2015 -0700 @@ -0,0 +1,32 @@ +From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001 +From: Keith Packard +Date: Sat, 3 Jan 2015 08:46:45 -0800 +Subject: [PATCH] dix: Allow zero-height PutImage requests + +The length checking code validates PutImage height and byte width by +making sure that byte-width >= INT32_MAX / height. If height is zero, +this generates a divide by zero exception. Allow zero height requests +explicitly, bypassing the INT32_MAX check. + +Signed-off-by: Keith Packard +Reviewed-by: Alan Coopersmith +--- + dix/dispatch.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dix/dispatch.c b/dix/dispatch.c +index 55b978d..9044ac7 100644 +--- a/dix/dispatch.c ++++ b/dix/dispatch.c +@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client) + tmpImage = (char *) &stuff[1]; + lengthProto = length; + +- if (lengthProto >= (INT32_MAX / stuff->height)) ++ if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height)) + return BadLength; + + if ((bytes_to_int32(lengthProto * stuff->height) + +-- +1.7.9.2 + diff -r 4c8eb9886928 -r 68483775704b open-src/xserver/xorg/patch-list --- a/open-src/xserver/xorg/patch-list Tue Apr 28 14:40:52 2015 -0700 +++ b/open-src/xserver/xorg/patch-list Tue Apr 28 18:11:34 2015 -0700 @@ -36,3 +36,4 @@ multi-session-with-isolateDevice.patch,-p1 security-2014-12-09.patch,-p1 CVE-2015-0255.patch,-p1 +CVE-2015-3418.patch,-p1