diff --git a/u_exa-only-draw-valid-trapezoids.patch b/u_exa-only-draw-valid-trapezoids.patch new file mode 100644 index 0000000..e0b3168 --- /dev/null +++ b/u_exa-only-draw-valid-trapezoids.patch @@ -0,0 +1,33 @@ +Author: Maarten Lankhorst +Subject: exa: only draw valid trapezoids +Patch-Mainline: To be upstreamed +References: bnc#853846 CVE-2013-6424 +Signed-off-by: Michal Srb + +diff --git a/exa/exa_render.c b/exa/exa_render.c +index 172e2b5..807eeba 100644 +--- a/exa/exa_render.c ++++ b/exa/exa_render.c +@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, PicturePtr pDst, + + exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + for (; ntrap; ntrap--, traps++) +- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); ++ if (xTrapezoidValid(traps)) ++ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); + exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + + xRel = bounds.x1 + xSrc - xDst; +diff --git a/render/picture.h b/render/picture.h +index c85353a..fcd6401 100644 +--- a/render/picture.h ++++ b/render/picture.h +@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed; + /* whether 't' is a well defined not obviously empty trapezoid */ + #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ + (t)->right.p1.y != (t)->right.p2.y && \ +- (int) ((t)->bottom - (t)->top) > 0) ++ ((t)->bottom > (t)->top)) + + /* + * Standard NTSC luminance conversions: diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes index c9b56d1..5ed7365 100644 --- a/xorg-x11-server.changes +++ b/xorg-x11-server.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Thu Dec 12 14:57:15 UTC 2013 - msrb@suse.com + +- u_exa-only-draw-valid-trapezoids.patch + * Fix possible x server crash using invalid trapezoids. + (bnc#853846 CVE-2013-6424) + ------------------------------------------------------------------- Thu Dec 12 14:27:20 UTC 2013 - eich@suse.com diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec index da1b6be..dbd4e49 100644 --- a/xorg-x11-server.spec +++ b/xorg-x11-server.spec @@ -128,6 +128,8 @@ Patch102: u_x86emu-include-order.patch Patch103: u_randr_allow_rrselectinput_for_providerchange_and_resourcechange_events.patch Patch104: u_xorg-server-xdmcp.patch Patch105: ux_xserver_xvfb-randr.patch +# PATCH-FIX-UPSTREAM u_exa-only-draw-valid-trapezoids.patch bnc#853846 msrb@suse.com -- Fixes possible crash of server using invalid trapezoids. 2013-12-12 patch is waiting in mailing list to be upstreamed. +Patch106: u_exa-only-draw-valid-trapezoids.patch Patch162: b_cache-xkbcomp-output-for-fast-start-up.patch Patch211: b_0001-Prevent-XSync-Alarms-from-senslessly-calling-CheckTr.patch @@ -199,6 +201,7 @@ cp %{SOURCE90} . %patch103 -p1 %patch104 -p1 %patch105 -p1 +%patch106 -p1 ### disabled for now #%patch162 -p1