summaryrefslogtreecommitdiff
path: root/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
diff options
context:
space:
mode:
authorPatrick J Volkerding <volkerdi@slackware.com>2013-11-04 17:08:47 +0000
committerEric Hameleers <alien@slackware.com>2018-05-31 22:57:36 +0200
commit76fc4757ac91ac7947a01fb7b53dddf9a78a01d1 (patch)
tree9b98e6e193c7870cb27ac861394c1c4592850922 /source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
parent9664bee729d487bcc0a0bc35859f8e13d5421c75 (diff)
downloadcurrent-76fc4757ac91ac7947a01fb7b53dddf9a78a01d1.tar.gz
Slackware 14.1slackware-14.1
Mon Nov 4 17:08:47 UTC 2013 Slackware 14.1 x86_64 stable is released! It's been another interesting release cycle here at Slackware bringing new features like support for UEFI machines, updated compilers and development tools, the switch from MySQL to MariaDB, and many more improvements throughout the system. Thanks to the team, the upstream developers, the dedicated Slackware community, and everyone else who pitched in to help make this release a reality. The ISOs are off to be replicated, a 6 CD-ROM 32-bit set and a dual-sided 32-bit/64-bit x86/x86_64 DVD. Please consider supporting the Slackware project by picking up a copy from store.slackware.com. We're taking pre-orders now, and offer a discount if you sign up for a subscription. Have fun! :-)
Diffstat (limited to 'source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff')
-rw-r--r--source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff73
1 files changed, 73 insertions, 0 deletions
diff --git a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
new file mode 100644
index 00000000..14c31782
--- /dev/null
+++ b/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
@@ -0,0 +1,73 @@
+From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Mon, 16 Sep 2013 21:47:16 -0700
+Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
+ [CVE-2013-4396]
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original. If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib at gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+---
+ dix/dixfonts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index feb765d..2e34d37 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+ data = malloc(c->nChars * itemSize);
+ if (!data) {
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ if (!pGC) {
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ FreeScratchGC(pGC);
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }