upstream/oracle/x-cons/x-s11-update-clone: changeset 1461:68483775704b

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/open-src/xserver/xorg/CVE-2015-3418.patch	Tue Apr 28 18:11:34 2015 -0700
@@ -0,0 +1,32 @@
+From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001
+From: Keith Packard <[email protected]>
+Date: Sat, 3 Jan 2015 08:46:45 -0800
+Subject: [PATCH] dix: Allow zero-height PutImage requests
+
+The length checking code validates PutImage height and byte width by
+making sure that byte-width >= INT32_MAX / height. If height is zero,
+this generates a divide by zero exception. Allow zero height requests
+explicitly, bypassing the INT32_MAX check.
+
+Signed-off-by: Keith Packard <[email protected]>
+Reviewed-by: Alan Coopersmith <[email protected]>
+---
+ dix/dispatch.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 55b978d..9044ac7 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
+     tmpImage = (char *) &stuff[1];
+     lengthProto = length;
+ 
+-    if (lengthProto >= (INT32_MAX / stuff->height))
++    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+         return BadLength;
+ 
+     if ((bytes_to_int32(lengthProto * stuff->height) +
+-- 
+1.7.9.2
+

--- a/open-src/xserver/xorg/patch-list	Tue Apr 28 14:40:52 2015 -0700
+++ b/open-src/xserver/xorg/patch-list	Tue Apr 28 18:11:34 2015 -0700
@@ -36,3 +36,4 @@
 multi-session-with-isolateDevice.patch,-p1
 security-2014-12-09.patch,-p1
 CVE-2015-0255.patch,-p1
+CVE-2015-3418.patch,-p1

author	Alan Coopersmith <Alan.Coopersmith@Oracle.COM>
	Tue, 28 Apr 2015 18:11:34 -0700
changeset 1461	68483775704b
parent 1460	4c8eb9886928
child 1462	ef84da5abdc1

open-src/xserver/xorg/CVE-2015-3418.patch		file \| annotate \| diff \| comparison \| revisions
open-src/xserver/xorg/patch-list		file \| annotate \| diff \| comparison \| revisions