diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch | 38 | ||||
-rw-r--r-- | gnu/packages/patches/libwebp-CVE-2016-9085.patch | 144 | ||||
-rw-r--r-- | gnu/packages/patches/ninja-tests.patch | 48 | ||||
-rw-r--r-- | gnu/packages/patches/password-store-gnupg-compat.patch | 53 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-2620.patch | 134 | ||||
-rw-r--r-- | gnu/packages/patches/qemu-CVE-2017-2630.patch | 47 | ||||
-rw-r--r-- | gnu/packages/patches/virglrenderer-CVE-2017-6386.patch | 54 |
7 files changed, 326 insertions, 192 deletions
diff --git a/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch new file mode 100644 index 0000000000..0253700bf6 --- /dev/null +++ b/gnu/packages/patches/libevent-2.0-evbuffer-add-use-last-with-datap.patch @@ -0,0 +1,38 @@ +From a8769ef12d7e223e33fc47bed03fba2bfa2f3536 Mon Sep 17 00:00:00 2001 +From: Marcus Sundberg <marcus@marcussundberg.com> +Date: Sat, 26 Mar 2016 20:11:43 +0100 +Subject: [PATCH] evbuffer_add: Use last_with_datap if set, not last. + +evbuffer_add() would always put data in the last chain, even if there +was available space in a previous chain, and in doing so it also +failed to update last_with_datap, causing subsequent calls to other +functions that do look at last_with_datap to add data in the middle +of the evbuffer instead of at the end. + +Fixes the evbuffer_add() part of issue #335, and the evbuffer/add2 and +evbuffer/add3 tests, and also prevents wasting space available in the +chain pointed to by last_with_datap. +--- + buffer.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/buffer.c b/buffer.c +index 7cca0e8a..f378b731 100644 +--- a/buffer.c ++++ b/buffer.c +@@ -1732,7 +1732,11 @@ evbuffer_add(struct evbuffer *buf, const void *data_in, size_t datlen) + goto done; + } + +- chain = buf->last; ++ if (*buf->last_with_datap == NULL) { ++ chain = buf->last; ++ } else { ++ chain = *buf->last_with_datap; ++ } + + /* If there are no chains allocated for this buffer, allocate one + * big enough to hold all the data. */ +-- +2.12.0 + diff --git a/gnu/packages/patches/libwebp-CVE-2016-9085.patch b/gnu/packages/patches/libwebp-CVE-2016-9085.patch deleted file mode 100644 index e40b353303..0000000000 --- a/gnu/packages/patches/libwebp-CVE-2016-9085.patch +++ /dev/null @@ -1,144 +0,0 @@ -Fix CVE-2016-9085 (several integer overflows): - -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9085 -http://seclists.org/oss-sec/2016/q4/253 - -Patch copied from upstream source repository: - -https://chromium.googlesource.com/webm/libwebp/+/e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 - -From e2affacc35f1df6cc3b1a9fa0ceff5ce2d0cce83 Mon Sep 17 00:00:00 2001 -From: Pascal Massimino <pascal.massimino@gmail.com> -Date: Mon, 10 Oct 2016 11:48:39 +0200 -Subject: [PATCH] fix potential overflow when width * height * 4 >= (1<<32) - -Mostly: avoid doing calculation like: ptr + j * stride -when stride is 'int'. Rather use size_t, or pointer increments (ptr += stride) -when possible. - -BUG=webp:314 - -Change-Id: I81c684b515dd1ec4f601f32d50a6e821c4e46e20 ---- - examples/gifdec.c | 56 +++++++++++++++++++++++++++++++------------------------ - 1 file changed, 32 insertions(+), 24 deletions(-) - -diff --git a/examples/gifdec.c b/examples/gifdec.c -index 83c3d82..7df176f 100644 ---- a/examples/gifdec.c -+++ b/examples/gifdec.c -@@ -20,6 +20,7 @@ - - #include "webp/encode.h" - #include "webp/mux_types.h" -+#include "webp/format_constants.h" - - #define GIF_TRANSPARENT_COLOR 0x00000000 - #define GIF_WHITE_COLOR 0xffffffff -@@ -103,12 +104,19 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index, - const GifImageDesc* const image_desc = &gif->Image; - uint32_t* dst = NULL; - uint8_t* tmp = NULL; -- int ok = 0; -- GIFFrameRect rect = { -+ const GIFFrameRect rect = { - image_desc->Left, image_desc->Top, image_desc->Width, image_desc->Height - }; -+ const uint64_t memory_needed = 4 * rect.width * (uint64_t)rect.height; -+ int ok = 0; - *gif_rect = rect; - -+ if (memory_needed != (size_t)memory_needed || -+ memory_needed > 4 * MAX_IMAGE_AREA) { -+ fprintf(stderr, "Image is too large (%d x %d).", rect.width, rect.height); -+ return 0; -+ } -+ - // Use a view for the sub-picture: - if (!WebPPictureView(picture, rect.x_offset, rect.y_offset, - rect.width, rect.height, &sub_image)) { -@@ -132,15 +140,15 @@ int GIFReadFrame(GifFileType* const gif, int transparent_index, - y += interlace_jumps[pass]) { - if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End; - Remap(gif, tmp, rect.width, transparent_index, -- dst + y * sub_image.argb_stride); -+ dst + y * (size_t)sub_image.argb_stride); - } - } - } else { // Non-interlaced image. - int y; -- for (y = 0; y < rect.height; ++y) { -+ uint32_t* ptr = dst; -+ for (y = 0; y < rect.height; ++y, ptr += sub_image.argb_stride) { - if (DGifGetLine(gif, tmp, rect.width) == GIF_ERROR) goto End; -- Remap(gif, tmp, rect.width, transparent_index, -- dst + y * sub_image.argb_stride); -+ Remap(gif, tmp, rect.width, transparent_index, ptr); - } - } - ok = 1; -@@ -216,13 +224,11 @@ int GIFReadMetadata(GifFileType* const gif, GifByteType** const buf, - - static void ClearRectangle(WebPPicture* const picture, - int left, int top, int width, int height) { -- int j; -- for (j = top; j < top + height; ++j) { -- uint32_t* const dst = picture->argb + j * picture->argb_stride; -- int i; -- for (i = left; i < left + width; ++i) { -- dst[i] = GIF_TRANSPARENT_COLOR; -- } -+ int i, j; -+ const size_t stride = picture->argb_stride; -+ uint32_t* dst = picture->argb + top * stride + left; -+ for (j = 0; j < height; ++j, dst += stride) { -+ for (i = 0; i < width; ++i) dst[i] = GIF_TRANSPARENT_COLOR; - } - } - -@@ -246,29 +252,31 @@ void GIFDisposeFrame(GIFDisposeMethod dispose, const GIFFrameRect* const rect, - if (dispose == GIF_DISPOSE_BACKGROUND) { - GIFClearPic(curr_canvas, rect); - } else if (dispose == GIF_DISPOSE_RESTORE_PREVIOUS) { -- const int src_stride = prev_canvas->argb_stride; -- const uint32_t* const src = -- prev_canvas->argb + rect->x_offset + rect->y_offset * src_stride; -- const int dst_stride = curr_canvas->argb_stride; -- uint32_t* const dst = -- curr_canvas->argb + rect->x_offset + rect->y_offset * dst_stride; -+ const size_t src_stride = prev_canvas->argb_stride; -+ const uint32_t* const src = prev_canvas->argb + rect->x_offset -+ + rect->y_offset * src_stride; -+ const size_t dst_stride = curr_canvas->argb_stride; -+ uint32_t* const dst = curr_canvas->argb + rect->x_offset -+ + rect->y_offset * dst_stride; - assert(prev_canvas != NULL); -- WebPCopyPlane((uint8_t*)src, 4 * src_stride, (uint8_t*)dst, 4 * dst_stride, -+ WebPCopyPlane((uint8_t*)src, (int)(4 * src_stride), -+ (uint8_t*)dst, (int)(4 * dst_stride), - 4 * rect->width, rect->height); - } - } - - void GIFBlendFrames(const WebPPicture* const src, - const GIFFrameRect* const rect, WebPPicture* const dst) { -- int j; -+ int i, j; -+ const size_t src_stride = src->argb_stride; -+ const size_t dst_stride = dst->argb_stride; - assert(src->width == dst->width && src->height == dst->height); - for (j = rect->y_offset; j < rect->y_offset + rect->height; ++j) { -- int i; - for (i = rect->x_offset; i < rect->x_offset + rect->width; ++i) { -- const uint32_t src_pixel = src->argb[j * src->argb_stride + i]; -+ const uint32_t src_pixel = src->argb[j * src_stride + i]; - const int src_alpha = src_pixel >> 24; - if (src_alpha != 0) { -- dst->argb[j * dst->argb_stride + i] = src_pixel; -+ dst->argb[j * dst_stride + i] = src_pixel; - } - } - } --- -2.10.1 - diff --git a/gnu/packages/patches/ninja-tests.patch b/gnu/packages/patches/ninja-tests.patch deleted file mode 100644 index f9b0d9f910..0000000000 --- a/gnu/packages/patches/ninja-tests.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 67d6b9262efad99f8aad63ab81efc8e689748766 Mon Sep 17 00:00:00 2001 -From: Efraim Flashner <efraim@flashner.co.il> -Date: Sun, 3 Jul 2016 11:55:43 +0300 -Subject: [PATCH] patch - ---- - src/subprocess_test.cc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/subprocess_test.cc b/src/subprocess_test.cc -index ee16190..a537c11 100644 ---- a/src/subprocess_test.cc -+++ b/src/subprocess_test.cc -@@ -72,6 +72,7 @@ TEST_F(SubprocessTest, NoSuchCommand) { - - #ifndef _WIN32 - -+#if 0 - TEST_F(SubprocessTest, InterruptChild) { - Subprocess* subproc = subprocs_.Add("kill -INT $$"); - ASSERT_NE((Subprocess *) 0, subproc); -@@ -82,6 +83,7 @@ TEST_F(SubprocessTest, InterruptChild) { - - EXPECT_EQ(ExitInterrupted, subproc->Finish()); - } -+#endif - - TEST_F(SubprocessTest, InterruptParent) { - Subprocess* subproc = subprocs_.Add("kill -INT $PPID ; sleep 1"); -@@ -217,6 +219,7 @@ TEST_F(SubprocessTest, SetWithMulti) { - // OS X's process limit is less than 1025 by default - // (|sysctl kern.maxprocperuid| is 709 on 10.7 and 10.8 and less prior to that). - #if !defined(__APPLE__) && !defined(_WIN32) -+#if 0 - TEST_F(SubprocessTest, SetWithLots) { - // Arbitrary big number; needs to be over 1024 to confirm we're no longer - // hostage to pselect. -@@ -245,6 +248,7 @@ TEST_F(SubprocessTest, SetWithLots) { - } - ASSERT_EQ(kNumProcs, subprocs_.finished_.size()); - } -+#endif - #endif // !__APPLE__ && !_WIN32 - - // TODO: this test could work on Windows, just not sure how to simply --- -2.9.0 - diff --git a/gnu/packages/patches/password-store-gnupg-compat.patch b/gnu/packages/patches/password-store-gnupg-compat.patch new file mode 100644 index 0000000000..c314ba6647 --- /dev/null +++ b/gnu/packages/patches/password-store-gnupg-compat.patch @@ -0,0 +1,53 @@ +Copied from upstream mailing list: +https://lists.zx2c4.com/pipermail/password-store/2017-March/002844.html. + +The patch actually restores compatibility with GnuPG 2.1.19, the '2.2.19' in +the commit message is a typo. + +From 8723d8e8192683891904aff321446b0fac37d1ad Mon Sep 17 00:00:00 2001 +From: Andreas Stieger <astieger@suse.com> +Date: Fri, 10 Mar 2017 15:43:26 +0100 +Subject: [PATCH] Fix compatibility with GnuPG 2.2.19 + +GnuPG 2.2.19 added a warning when no command was given. + +* src/password-store.sh (reencrypt_path): Add --decrypt to --list-only +* tests/t0300-reencryption.sh (gpg_keys_from_encrypted_file): same + +https://bugs.gnupg.org/gnupg/msg9873 +http://git.gnupg.org/cgi-bin/gitweb.cgi?p=gnupg.git;a=commit;h=810adfd47801fc01e45fb71af9f05c91f7890cdb +https://bugzilla.suse.com/show_bug.cgi?id=1028867 +--- + src/password-store.sh | 2 +- + tests/t0300-reencryption.sh | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/password-store.sh b/src/password-store.sh +index 1ab6fb5..bad8d4f 100755 +--- a/src/password-store.sh ++++ b/src/password-store.sh +@@ -125,7 +125,7 @@ reencrypt_path() { + done + gpg_keys="$($GPG $PASSWORD_STORE_GPG_OPTS --list-keys --with-colons "${GPG_RECIPIENTS[@]}" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u)" + fi +- current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)" ++ current_keys="$($GPG $PASSWORD_STORE_GPG_OPTS -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$passfile" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u)" + + if [[ $gpg_keys != "$current_keys" ]]; then + echo "$passfile_display: reencrypting to ${gpg_keys//$'\n'/ }" +diff --git a/tests/t0300-reencryption.sh b/tests/t0300-reencryption.sh +index 9d46580..6d5811d 100755 +--- a/tests/t0300-reencryption.sh ++++ b/tests/t0300-reencryption.sh +@@ -10,7 +10,7 @@ canonicalize_gpg_keys() { + $GPG --list-keys --with-colons "$@" | sed -n 's/sub:[^:]*:[^:]*:[^:]*:\([^:]*\):[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[^:]*:[a-zA-Z]*e[a-zA-Z]*:.*/\1/p' | LC_ALL=C sort -u + } + gpg_keys_from_encrypted_file() { +- $GPG -v --no-secmem-warning --no-permission-warning --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u ++ $GPG -v --no-secmem-warning --no-permission-warning --decrypt --list-only --keyid-format long "$1" 2>&1 | cut -d ' ' -f 5 | LC_ALL=C sort -u + } + gpg_keys_from_group() { + local output="$($GPG --list-config --with-colons | sed -n "s/^cfg:group:$1:\\(.*\\)/\\1/p" | head -n 1)" +-- +2.12.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-2620.patch b/gnu/packages/patches/qemu-CVE-2017-2620.patch new file mode 100644 index 0000000000..d3111827b7 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-2620.patch @@ -0,0 +1,134 @@ +Fix CVE-2017-2620: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2620 +https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg04700.html + +Both patches copied from upstream source repository: + +Fixes CVE-2017-2620: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=92f2b88cea48c6aeba8de568a45f2ed958f3c298 + +The CVE-2017-2620 bug-fix depends on this earlier patch: +http://git.qemu-project.org/?p=qemu.git;a=commit;h=913a87885f589d263e682c2eb6637c6e14538061 + +From 92f2b88cea48c6aeba8de568a45f2ed958f3c298 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Wed, 8 Feb 2017 11:18:36 +0100 +Subject: [PATCH] cirrus: add blit_is_unsafe call to cirrus_bitblt_cputovideo + (CVE-2017-2620) + +CIRRUS_BLTMODE_MEMSYSSRC blits do NOT check blit destination +and blit width, at all. Oops. Fix it. + +Security impact: high. + +The missing blit destination check allows to write to host memory. +Basically same as CVE-2014-8106 for the other blit variants. + +Cc: qemu-stable@nongnu.org +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/cirrus_vga.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index 1deb52070a..b9e7cb1df1 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -900,6 +900,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + { + int w; + ++ if (blit_is_unsafe(s, true)) { ++ return 0; ++ } ++ + s->cirrus_blt_mode &= ~CIRRUS_BLTMODE_MEMSYSSRC; + s->cirrus_srcptr = &s->cirrus_bltbuf[0]; + s->cirrus_srcptr_end = &s->cirrus_bltbuf[0]; +@@ -925,6 +929,10 @@ static int cirrus_bitblt_cputovideo(CirrusVGAState * s) + } + s->cirrus_srccounter = s->cirrus_blt_srcpitch * s->cirrus_blt_height; + } ++ ++ /* the blit_is_unsafe call above should catch this */ ++ assert(s->cirrus_blt_srcpitch <= CIRRUS_BLTBUFSIZE); ++ + s->cirrus_srcptr = s->cirrus_bltbuf; + s->cirrus_srcptr_end = s->cirrus_bltbuf + s->cirrus_blt_srcpitch; + cirrus_update_memory_access(s); +-- +2.12.0 + +From 913a87885f589d263e682c2eb6637c6e14538061 Mon Sep 17 00:00:00 2001 +From: Bruce Rogers <brogers@suse.com> +Date: Mon, 9 Jan 2017 13:35:20 -0700 +Subject: [PATCH] display: cirrus: ignore source pitch value as needed in + blit_is_unsafe + +Commit 4299b90 added a check which is too broad, given that the source +pitch value is not required to be initialized for solid fill operations. +This patch refines the blit_is_unsafe() check to ignore source pitch in +that case. After applying the above commit as a security patch, we +noticed the SLES 11 SP4 guest gui failed to initialize properly. + +Signed-off-by: Bruce Rogers <brogers@suse.com> +Message-id: 20170109203520.5619-1-brogers@suse.com +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/display/cirrus_vga.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/hw/display/cirrus_vga.c b/hw/display/cirrus_vga.c +index bdb092ee9d..379910db2d 100644 +--- a/hw/display/cirrus_vga.c ++++ b/hw/display/cirrus_vga.c +@@ -294,7 +294,7 @@ static bool blit_region_is_unsafe(struct CirrusVGAState *s, + return false; + } + +-static bool blit_is_unsafe(struct CirrusVGAState *s) ++static bool blit_is_unsafe(struct CirrusVGAState *s, bool dst_only) + { + /* should be the case, see cirrus_bitblt_start */ + assert(s->cirrus_blt_width > 0); +@@ -308,6 +308,9 @@ static bool blit_is_unsafe(struct CirrusVGAState *s) + s->cirrus_blt_dstaddr & s->cirrus_addr_mask)) { + return true; + } ++ if (dst_only) { ++ return false; ++ } + if (blit_region_is_unsafe(s, s->cirrus_blt_srcpitch, + s->cirrus_blt_srcaddr & s->cirrus_addr_mask)) { + return true; +@@ -673,7 +676,7 @@ static int cirrus_bitblt_common_patterncopy(CirrusVGAState * s, + + dst = s->vga.vram_ptr + (s->cirrus_blt_dstaddr & s->cirrus_addr_mask); + +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + (*s->cirrus_rop) (s, dst, src, +@@ -691,7 +694,7 @@ static int cirrus_bitblt_solidfill(CirrusVGAState *s, int blt_rop) + { + cirrus_fill_t rop_func; + +- if (blit_is_unsafe(s)) { ++ if (blit_is_unsafe(s, true)) { + return 0; + } + rop_func = cirrus_fill[rop_to_index[blt_rop]][s->cirrus_blt_pixelwidth - 1]; +@@ -795,7 +798,7 @@ static int cirrus_do_copy(CirrusVGAState *s, int dst, int src, int w, int h) + + static int cirrus_bitblt_videotovideo_copy(CirrusVGAState * s) + { +- if (blit_is_unsafe(s)) ++ if (blit_is_unsafe(s, false)) + return 0; + + return cirrus_do_copy(s, s->cirrus_blt_dstaddr - s->vga.start_addr, +-- +2.12.0 + diff --git a/gnu/packages/patches/qemu-CVE-2017-2630.patch b/gnu/packages/patches/qemu-CVE-2017-2630.patch new file mode 100644 index 0000000000..b154d171f1 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2017-2630.patch @@ -0,0 +1,47 @@ +Fix CVE-2017-2630: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2630 +https://lists.gnu.org/archive/html/qemu-devel/2017-02/msg01246.html + +Patch copied from upstream source repository: + +http://git.qemu-project.org/?p=qemu.git;a=commit;h=2563c9c6b8670400c48e562034b321a7cf3d9a85 + +From 2563c9c6b8670400c48e562034b321a7cf3d9a85 Mon Sep 17 00:00:00 2001 +From: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> +Date: Tue, 7 Mar 2017 09:16:27 -0600 +Subject: [PATCH] nbd/client: fix drop_sync [CVE-2017-2630] +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Comparison symbol is misused. It may lead to memory corruption. +Introduced in commit 7d3123e. + +Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@virtuozzo.com> +Message-Id: <20170203154757.36140-6-vsementsov@virtuozzo.com> +[eblake: add CVE details, update conditional] +Signed-off-by: Eric Blake <eblake@redhat.com> +Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> +Message-Id: <20170307151627.27212-1-eblake@redhat.com> +Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> +--- + nbd/client.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/nbd/client.c b/nbd/client.c +index 5c9dee37fa..3dc2564cd0 100644 +--- a/nbd/client.c ++++ b/nbd/client.c +@@ -94,7 +94,7 @@ static ssize_t drop_sync(QIOChannel *ioc, size_t size) + char small[1024]; + char *buffer; + +- buffer = sizeof(small) < size ? small : g_malloc(MIN(65536, size)); ++ buffer = sizeof(small) >= size ? small : g_malloc(MIN(65536, size)); + while (size > 0) { + ssize_t count = read_sync(ioc, buffer, MIN(65536, size)); + +-- +2.12.0 + diff --git a/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch new file mode 100644 index 0000000000..bd3bf106bf --- /dev/null +++ b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch @@ -0,0 +1,54 @@ +Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920 + +From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001 +From: Dave Airlie <airlied@redhat.com> +Date: Tue, 28 Feb 2017 14:52:09 +1000 +Subject: renderer: fix memory leak in vertex elements state create + +Reported-by: Li Qiang +Free the vertex array in error path. +This was introduced by this commit: +renderer: fix heap overflow in vertex elements state create. + +I rewrote the code to not require the allocation in the first +place if we have an error, seems nicer. + +Signed-off-by: Dave Airlie <airlied@redhat.com> + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 1bca7ad..e5d9f5c 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx, + unsigned num_elements, + const struct pipe_vertex_element *elements) + { +- struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array); ++ struct vrend_vertex_element_array *v; + const struct util_format_description *desc; + GLenum type; + int i; + uint32_t ret_handle; + +- if (!v) +- return ENOMEM; +- + if (num_elements > PIPE_MAX_ATTRIBS) + return EINVAL; + ++ v = CALLOC_STRUCT(vrend_vertex_element_array); ++ if (!v) ++ return ENOMEM; ++ + v->count = num_elements; + for (i = 0; i < num_elements; i++) { + memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element)); +-- +cgit v0.10.2 + |