summaryrefslogtreecommitdiffstats
path: root/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch')
-rw-r--r--meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch59
1 files changed, 59 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
new file mode 100644
index 0000000000..3277be0185
--- /dev/null
+++ b/meta/recipes-graphics/xorg-xserver/xserver-xorg/CVE-2021-4008.patch
@@ -0,0 +1,59 @@
+Backport patch to fix CVE-2021-4008.
+
+CVE: CVE-2021-4008
+Upstream-Status: Backport [https://gitlab.freedesktop.org/xorg/xserver/-/commit/ebce7e2]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From ebce7e2d80e7c80e1dda60f2f0bc886f1106ba60 Mon Sep 17 00:00:00 2001
+From: Povilas Kanapickas <povilas@radix.lt>
+Date: Tue, 14 Dec 2021 15:00:03 +0200
+Subject: [PATCH] render: Fix out of bounds access in
+ SProcRenderCompositeGlyphs()
+
+ZDI-CAN-14192, CVE-2021-4008
+
+This vulnerability was discovered and the fix was suggested by:
+Jan-Niklas Sohn working with Trend Micro Zero Day Initiative
+
+Signed-off-by: Povilas Kanapickas <povilas@radix.lt>
+---
+ render/render.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/render/render.c b/render/render.c
+index c376090ca..456f156d4 100644
+--- a/render/render.c
++++ b/render/render.c
+@@ -2309,6 +2309,9 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+
+ i = elt->len;
+ if (i == 0xff) {
++ if (buffer + 4 > end) {
++ return BadLength;
++ }
+ swapl((int *) buffer);
+ buffer += 4;
+ }
+@@ -2319,12 +2322,18 @@ SProcRenderCompositeGlyphs(ClientPtr client)
+ buffer += i;
+ break;
+ case 2:
++ if (buffer + i * 2 > end) {
++ return BadLength;
++ }
+ while (i--) {
+ swaps((short *) buffer);
+ buffer += 2;
+ }
+ break;
+ case 4:
++ if (buffer + i * 4 > end) {
++ return BadLength;
++ }
+ while (i--) {
+ swapl((int *) buffer);
+ buffer += 4;
+--
+GitLab
+