summaryrefslogtreecommitdiff
path: root/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
diff options
context:
space:
mode:
Diffstat (limited to 'source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff')
-rw-r--r--source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff73
1 files changed, 73 insertions, 0 deletions
diff --git a/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff b/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
new file mode 100644
index 00000000..14c31782
--- /dev/null
+++ b/source/x/x11/patch/xorg-server/xorg-server.CVE-2013-4396.diff
@@ -0,0 +1,73 @@
+From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Mon, 16 Sep 2013 21:47:16 -0700
+Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
+ [CVE-2013-4396]
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original. If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib at gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+---
+ dix/dixfonts.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index feb765d..2e34d37 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ GC *pGC;
+ unsigned char *data;
+ ITclosurePtr new_closure;
++ ITclosurePtr old_closure;
+
+ /* We're putting the client to sleep. We need to
+ save some state. Similar problem to that handled
+@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ err = BadAlloc;
+ goto bail;
+ }
++ old_closure = c;
+ *new_closure = *c;
+ c = new_closure;
+
+ data = malloc(c->nChars * itemSize);
+ if (!data) {
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ if (!pGC) {
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }
+@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+ FreeScratchGC(pGC);
+ free(c->data);
+ free(c);
++ c = old_closure;
+ err = BadAlloc;
+ goto bail;
+ }