cursor: Fix heap overflows when parsing malicious files

https://bugzilla.redhat.com/show_bug.cgi?id=1522638
2017-12-12 16:03:36 +01:00 · 2017-12-12 16:03:36 +01:00 · 495334024e
commit 495334024e
parent a80cb1c29b
2 changed files with 61 additions and 2 deletions
--- a/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
+++ b/0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
@ -0,0 +1,52 @@
 From 5d201df72f3d4f4cb8b8f75f980169b03507da38 Mon Sep 17 00:00:00 2001
 From: Tobias Stoeckmann <tobias@stoeckmann.org>
 Date: Tue, 28 Nov 2017 21:38:07 +0100
 Subject: [PATCH] cursor: Fix heap overflows when parsing malicious files.
 It is possible to trigger heap overflows due to an integer overflow
 while parsing images.
 The integer overflow occurs because the chosen limit 0x10000 for
 dimensions is too large for 32 bit systems, because each pixel takes
 4 bytes. Properly chosen values allow an overflow which in turn will
 lead to less allocated memory than needed for subsequent reads.
 See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
 Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
 Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
 [Pekka: add link to the corresponding libXcursor commit]
 Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
 ---
 cursor/xcursor.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)
 diff --git a/cursor/xcursor.c b/cursor/xcursor.c
 index ca41c4ac611f..689c7026729d 100644
 --- a/cursor/xcursor.c
 +++ b/cursor/xcursor.c
@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
 {
     XcursorImage    *image;
 +    if (width < 0 || height < 0)
 +       return NULL;
 +    if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
 +       return NULL;
 +
     image = malloc (sizeof (XcursorImage) +
 		    width * height * sizeof (XcursorPixel));
     if (!image)
@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile		*file,
     if (!_XcursorReadUInt (file, &head.delay))
 	return NULL;
     /* sanity check data */
 -    if (head.width >= 0x10000 || head.height > 0x10000)
 +    if (head.width > XCURSOR_IMAGE_MAX_SIZE  ||
 +	head.height > XCURSOR_IMAGE_MAX_SIZE)
 	return NULL;
     if (head.width == 0 || head.height == 0)
 	return NULL;
 -- 
 2.14.3
--- a/wayland.spec
+++ b/wayland.spec
@ -1,12 +1,16 @@
 Name:           wayland
 Version:        1.14.0
-Release:        1%{?dist}
+Release:        2%{?dist}
 Summary:        Wayland Compositor Infrastructure
 License:        MIT
 URL:            http://wayland.freedesktop.org/
 Source0:        http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz
 # https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
 # Backported from upstream
 Patch0:         0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
 BuildRequires:  chrpath
 BuildRequires:  docbook-style-xsl
 BuildRequires:  doxygen
@ -66,7 +70,7 @@ Wayland server library
 %prep
-%setup -q
+%autosetup -p1
 %build
@ -127,6 +131,9 @@ XDG_RUNTIME_DIR=$PWD/tests/run make check || \
 %{_libdir}/libwayland-server.so.0*
 %changelog
 * Tue Dec 12 2017 Kalev Lember <klember@redhat.com> - 1.14.0-2
 - cursor: Fix heap overflows when parsing malicious files (#1522638)
 * Wed Aug 09 2017 Kalev Lember <klember@redhat.com> - 1.14.0-1
 - Update to 1.14.0