Contents of /trunk/xorg-server/patches/xorg-server-1.14.3-CVE-2013-4369.patch
Parent Directory | Revision Log
Revision 2300 -
(show annotations)
(download)
Thu Oct 10 15:39:10 2013 UTC (10 years, 11 months ago) by niro
File size: 2820 byte(s)
Thu Oct 10 15:39:10 2013 UTC (10 years, 11 months ago) by niro
File size: 2820 byte(s)
-security fix
1 | From 7bddc2ba16a2a15773c2ea8947059afa27727764 Mon Sep 17 00:00:00 2001 |
2 | From: Alan Coopersmith <alan.coopersmith at oracle.com> |
3 | Date: Mon, 16 Sep 2013 21:47:16 -0700 |
4 | Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText() |
5 | [CVE-2013-4396] |
6 | |
7 | Save a pointer to the passed in closure structure before copying it |
8 | and overwriting the *c pointer to point to our copy instead of the |
9 | original. If we hit an error, once we free(c), reset c to point to |
10 | the original structure before jumping to the cleanup code that |
11 | references *c. |
12 | |
13 | Since one of the errors being checked for is whether the server was |
14 | able to malloc(c->nChars * itemSize), the client can potentially pass |
15 | a number of characters chosen to cause the malloc to fail and the |
16 | error path to be taken, resulting in the read from freed memory. |
17 | |
18 | Since the memory is accessed almost immediately afterwards, and the |
19 | X server is mostly single threaded, the odds of the free memory having |
20 | invalid contents are low with most malloc implementations when not using |
21 | memory debugging features, but some allocators will definitely overwrite |
22 | the memory there, leading to a likely crash. |
23 | |
24 | Reported-by: Pedro Ribeiro <pedrib at gmail.com> |
25 | Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com> |
26 | Reviewed-by: Julien Cristau <jcristau at debian.org> |
27 | --- |
28 | dix/dixfonts.c | 5 +++++ |
29 | 1 file changed, 5 insertions(+) |
30 | |
31 | diff --git a/dix/dixfonts.c b/dix/dixfonts.c |
32 | index feb765d..2e34d37 100644 |
33 | --- a/dix/dixfonts.c |
34 | +++ b/dix/dixfonts.c |
35 | @@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c) |
36 | GC *pGC; |
37 | unsigned char *data; |
38 | ITclosurePtr new_closure; |
39 | + ITclosurePtr old_closure; |
40 | |
41 | /* We're putting the client to sleep. We need to |
42 | save some state. Similar problem to that handled |
43 | @@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c) |
44 | err = BadAlloc; |
45 | goto bail; |
46 | } |
47 | + old_closure = c; |
48 | *new_closure = *c; |
49 | c = new_closure; |
50 | |
51 | data = malloc(c->nChars * itemSize); |
52 | if (!data) { |
53 | free(c); |
54 | + c = old_closure; |
55 | err = BadAlloc; |
56 | goto bail; |
57 | } |
58 | @@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c) |
59 | if (!pGC) { |
60 | free(c->data); |
61 | free(c); |
62 | + c = old_closure; |
63 | err = BadAlloc; |
64 | goto bail; |
65 | } |
66 | @@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c) |
67 | FreeScratchGC(pGC); |
68 | free(c->data); |
69 | free(c); |
70 | + c = old_closure; |
71 | err = BadAlloc; |
72 | goto bail; |
73 | } |
74 | -- |
75 | 1.7.9.2 |
76 |