Update to 1.14.91
This commit is contained in:
parent
972f0b0033
commit
700bbaa6f2
1
.gitignore
vendored
1
.gitignore
vendored
@ -45,3 +45,4 @@
|
||||
/wayland-1.13.92.tar.xz
|
||||
/wayland-1.13.93.tar.xz
|
||||
/wayland-1.14.0.tar.xz
|
||||
/wayland-1.14.91.tar.xz
|
||||
|
@ -1,52 +0,0 @@
|
||||
From 5d201df72f3d4f4cb8b8f75f980169b03507da38 Mon Sep 17 00:00:00 2001
|
||||
From: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
Date: Tue, 28 Nov 2017 21:38:07 +0100
|
||||
Subject: [PATCH] cursor: Fix heap overflows when parsing malicious files.
|
||||
|
||||
It is possible to trigger heap overflows due to an integer overflow
|
||||
while parsing images.
|
||||
|
||||
The integer overflow occurs because the chosen limit 0x10000 for
|
||||
dimensions is too large for 32 bit systems, because each pixel takes
|
||||
4 bytes. Properly chosen values allow an overflow which in turn will
|
||||
lead to less allocated memory than needed for subsequent reads.
|
||||
|
||||
See also: https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
|
||||
Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=103961
|
||||
|
||||
Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
|
||||
[Pekka: add link to the corresponding libXcursor commit]
|
||||
Signed-off-by: Pekka Paalanen <pekka.paalanen@collabora.co.uk>
|
||||
---
|
||||
cursor/xcursor.c | 8 +++++++-
|
||||
1 file changed, 7 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/cursor/xcursor.c b/cursor/xcursor.c
|
||||
index ca41c4ac611f..689c7026729d 100644
|
||||
--- a/cursor/xcursor.c
|
||||
+++ b/cursor/xcursor.c
|
||||
@@ -202,6 +202,11 @@ XcursorImageCreate (int width, int height)
|
||||
{
|
||||
XcursorImage *image;
|
||||
|
||||
+ if (width < 0 || height < 0)
|
||||
+ return NULL;
|
||||
+ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
|
||||
+ return NULL;
|
||||
+
|
||||
image = malloc (sizeof (XcursorImage) +
|
||||
width * height * sizeof (XcursorPixel));
|
||||
if (!image)
|
||||
@@ -482,7 +487,8 @@ _XcursorReadImage (XcursorFile *file,
|
||||
if (!_XcursorReadUInt (file, &head.delay))
|
||||
return NULL;
|
||||
/* sanity check data */
|
||||
- if (head.width >= 0x10000 || head.height > 0x10000)
|
||||
+ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
|
||||
+ head.height > XCURSOR_IMAGE_MAX_SIZE)
|
||||
return NULL;
|
||||
if (head.width == 0 || head.height == 0)
|
||||
return NULL;
|
||||
--
|
||||
2.14.3
|
||||
|
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (wayland-1.14.0.tar.xz) = bd38b2b8963d4d98d42c270e5d7dbff6323789a173b19b67a18258424fd8adee5021b282c9d7f6dad0bd25aa0160e76aecd8ed803d4eb25d911ef0a81cd713a5
|
||||
SHA512 (wayland-1.14.91.tar.xz) = e9a1f465188c46e82512efba1c7502fee1201f3ddfb7afe132c406c3fb728f0f5144580663bea4cdc2af38794f00b2c30369ca6e04fdcb691b9ed1889bc11344
|
||||
|
11
wayland.spec
11
wayland.spec
@ -1,16 +1,12 @@
|
||||
Name: wayland
|
||||
Version: 1.14.0
|
||||
Release: 3%{?dist}
|
||||
Version: 1.14.91
|
||||
Release: 1%{?dist}
|
||||
Summary: Wayland Compositor Infrastructure
|
||||
|
||||
License: MIT
|
||||
URL: http://wayland.freedesktop.org/
|
||||
Source0: http://wayland.freedesktop.org/releases/%{name}-%{version}.tar.xz
|
||||
|
||||
# https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
|
||||
# Backported from upstream
|
||||
Patch0: 0001-cursor-Fix-heap-overflows-when-parsing-malicious-fil.patch
|
||||
|
||||
BuildRequires: chrpath
|
||||
BuildRequires: docbook-style-xsl
|
||||
BuildRequires: doxygen
|
||||
@ -131,6 +127,9 @@ XDG_RUNTIME_DIR=$PWD/tests/run make check || \
|
||||
%{_libdir}/libwayland-server.so.0*
|
||||
|
||||
%changelog
|
||||
* Tue Feb 27 2018 Kalev Lember <klember@redhat.com> - 1.14.91-1
|
||||
- Update to 1.14.91
|
||||
|
||||
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1.14.0-3
|
||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user