xorg-server: integer underflow (CVE-2013-6424)
Package : xorg-server
Vulnerability : integer underflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2013-6424
An integer underflow flaw was found in the X.Org server when handling trapezoids. A malicious, authorized client could use this flaw to crash the X.Org server.
References:
http://seclists.org/oss-sec/2013/q4/399
http://patchwork.freedesktop.org/patch/14769/
Patch
diff —git a/exa/exa_render.c b/exa/exa_render.c
index 172e2b5..807eeba 100644
—- a/exa/exa_render.c
+ b/exa/exa_render.c
@@ –1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc,
PicturePtr pDst,
exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
for (; ntrap; ntrap—, traps)
- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1);
- if (xTrapezoidValid(traps))
- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1,
-bounds.y1);
exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST);
xRel = bounds.x1 + xSrc - xDst;
diff —git a/render/picture.h b/render/picture.h
index c85353a..fcd6401 100644
—- a/render/picture.h
+ b/render/picture.h
@@ –211,7 +211,7 @@ typedef pixman_fixed_t xFixed;
/* whether ‘t’ is a well defined not obviously empty trapezoid */
#define xTrapezoidValid(t) ((t)left.p1.y != (t)>left.p2.y &&
\
(t)right.p1.y !=
(t)>right.p2.y && \
- (int) ((t)
bottom(t)->top) >0)
- ((t)
bottom > (t)>top))
/*
* Standard NTSC luminance conversions:
(from redmine: issue id 2559, created on 2014-01-07, closed on 2014-01-08)
- Relations:
- relates #2554 (closed)
- child #2560 (closed)