diff options
Diffstat (limited to 'gnu/packages')
| -rw-r--r-- | gnu/packages/patches/virglrenderer-CVE-2017-6386.patch | 54 | ||||
| -rw-r--r-- | gnu/packages/spice.scm | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch new file mode 100644 index 0000000000..bd3bf106bf --- /dev/null +++ b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch @@ -0,0 +1,54 @@ +Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994). + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994 + +Patch copied from upstream source repository: + +https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920 + +From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001 +From: Dave Airlie <airlied@redhat.com> +Date: Tue, 28 Feb 2017 14:52:09 +1000 +Subject: renderer: fix memory leak in vertex elements state create + +Reported-by: Li Qiang +Free the vertex array in error path. +This was introduced by this commit: +renderer: fix heap overflow in vertex elements state create. + +I rewrote the code to not require the allocation in the first +place if we have an error, seems nicer. + +Signed-off-by: Dave Airlie <airlied@redhat.com> + +diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c +index 1bca7ad..e5d9f5c 100644 +--- a/src/vrend_renderer.c ++++ b/src/vrend_renderer.c +@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx, + unsigned num_elements, + const struct pipe_vertex_element *elements) + { +- struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array); ++ struct vrend_vertex_element_array *v; + const struct util_format_description *desc; + GLenum type; + int i; + uint32_t ret_handle; + +- if (!v) +- return ENOMEM; +- + if (num_elements > PIPE_MAX_ATTRIBS) + return EINVAL; + ++ v = CALLOC_STRUCT(vrend_vertex_element_array); ++ if (!v) ++ return ENOMEM; ++ + v->count = num_elements; + for (i = 0; i < num_elements; i++) { + memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element)); +-- +cgit v0.10.2 + diff --git a/gnu/packages/spice.scm b/gnu/packages/spice.scm index 363a5e8fc5..838db4b35d 100644 --- a/gnu/packages/spice.scm +++ b/gnu/packages/spice.scm @@ -102,6 +102,7 @@ (uri (string-append "https://www.freedesktop.org/software/virgl/" "virglrenderer-" version ".tar.bz2")) + (patches (search-patches "virglrenderer-CVE-2017-6386.patch")) (sha256 (base32 "06kf0q4l52gzx5p63l8850hff8pmhp7xv1hk8zgx2apbw18y6jd5")))) |