cursor: Fix heap overflows when parsing malicious files

https://bugzilla.redhat.com/show_bug.cgi?id=1522638
2017-12-12 16:03:36 +01:00 · 2017-12-12 16:03:36 +01:00 · 495334024e
commit 495334024e
parent a80cb1c29b
2 changed files with 61 additions and 2 deletions
--- a/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
+++ b/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
@ -0,0 +1,52 @@
+From 5d201df72f3d4f4cb8b8f75f980169b03507da38 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Tue, 28 Nov 2017 21:38:07 +0100
+Subject: [PATCH] cursor: Fix heap overflows when parsing malicious files.
+
+It is possible to trigger heap overflows due to an integer overflow
+while parsing images.
+
+The integer overflow occurs because the chosen limit 0x10000 for
+dimensions is too large for 32 bit systems, because each pixel takes
+4 bytes. Properly chosen values allow an overflow which in turn will
+lead to less allocated memory than needed for subsequent reads.
+
+See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
+Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+[Pekka: add link to the corresponding libXcursor commit]
+Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
+---
+ cursor/xcursor.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/cursor/xcursor.c b/cursor/xcursor.c
+index ca41c4ac611f..689c7026729d 100644
+--- a/cursor/xcursor.c
+++ b/cursor/xcursor.c
+@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
+ {
+     XcursorImage    *image;
+ 
+    if (width < 0 || height < 0)
+       return NULL;
+    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+       return NULL;
+
+     image = malloc (sizeof (XcursorImage) +
+ 		    width * height * sizeof (XcursorPixel));
+     if (!image)
+@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
+     if (!_XcursorReadUInt (file, &head.delay))
+ 	return NULL;
+     /* sanity check data */
+-    if (head.width >= 0x10000 || head.height > 0x10000)
+    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
+	head.height > XCURSOR_IMAGE_MAX_SIZE)
+ 	return NULL;
+     if (head.width == 0 || head.height == 0)
+ 	return NULL;
+-- 
+2.14.3
+
--- a/wayland.spec
+++ b/wayland.spec
@ -1,12 +1,16 @@
 Name:           wayland
 Version:        1.14.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Wayland Compositor Infrastructure

 License:        MIT
 URL:            http://wayland.freedesktop.org/
 Source0:        http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz

+# https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
+# Backported from upstream
+Patch0:         0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
+
 BuildRequires:  chrpath
 BuildRequires:  docbook-style-xsl
 BuildRequires:  doxygen
@ -66,7 +70,7 @@ Wayland server library


 %prep
-%setup -q
+%autosetup -p1


 %build
@ -127,6 +131,9 @@ XDG_RUNTIME_DIR=$PWD/tests/run make check || \
 %{_libdir}/libwayland-server.so.0*

 %changelog
+* Tue Dec 12 2017 Kalev Lember <klember@redhat.com> - 1.14.0-2
+- cursor: Fix heap overflows when parsing malicious files (#1522638)
+
 * Wed Aug 09 2017 Kalev Lember <klember@redhat.com> - 1.14.0-1
 - Update to 1.14.0