From bbc5acff6c529dad7303ebdc2010267c841290f80b12b354f5ad844ee9db6107 Mon Sep 17 00:00:00 2001
From: Stefan Dirsch <sndirsch@suse.com>
Date: Tue, 15 Oct 2013 13:48:46 +0000
Subject: [PATCH] - u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch 
  * Fixes a security issue, in which an authenticated X client    can cause an
 X server to use memory after it was freed,    potentially leading to crash
 and/or memory corruption.    (CVE-2013-4396, bnc#843652)

OBS-URL: https://build.opensuse.org/package/show/X11:XOrg/xorg-x11-server?expand=0&rev=461
---
 ...r-free-in-dix-dixfonts.c-doImageText.patch | 75 +++++++++++++++++++
 xorg-x11-server.changes                       |  9 +++
 xorg-x11-server.spec                          |  2 +
 3 files changed, 86 insertions(+)
 create mode 100644 u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch

diff --git a/u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch b/u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch
new file mode 100644
index 0000000..3110d70
--- /dev/null
+++ b/u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch
@@ -0,0 +1,75 @@
+From a4d9bf1259ad28f54b6d59a480b2009cc89ca623 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Mon, 16 Sep 2013 21:47:16 -0700
+Subject: [PATCH] Avoid use-after-free in dix/dixfonts.c: doImageText()
+
+Save a pointer to the passed in closure structure before copying it
+and overwriting the *c pointer to point to our copy instead of the
+original.  If we hit an error, once we free(c), reset c to point to
+the original structure before jumping to the cleanup code that
+references *c.
+
+Since one of the errors being checked for is whether the server was
+able to malloc(c->nChars * itemSize), the client can potentially pass
+a number of characters chosen to cause the malloc to fail and the
+error path to be taken, resulting in the read from freed memory.
+
+Since the memory is accessed almost immediately afterwards, and the
+X server is mostly single threaded, the odds of the free memory having
+invalid contents are low with most malloc implementations when not using
+memory debugging features, but some allocators will definitely overwrite
+the memory there, leading to a likely crash.
+
+Reported-by: Pedro Ribeiro <pedrib@gmail.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+---
+ dix/dixfonts.c |    5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/dix/dixfonts.c b/dix/dixfonts.c
+index feb765d..2e34d37 100644
+--- a/dix/dixfonts.c
++++ b/dix/dixfonts.c
+@@ -1425,6 +1425,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+             GC *pGC;
+             unsigned char *data;
+             ITclosurePtr new_closure;
++            ITclosurePtr old_closure;
+ 
+             /* We're putting the client to sleep.  We need to
+                save some state.  Similar problem to that handled
+@@ -1436,12 +1437,14 @@ doImageText(ClientPtr client, ITclosurePtr c)
+                 err = BadAlloc;
+                 goto bail;
+             }
++            old_closure = c;
+             *new_closure = *c;
+             c = new_closure;
+ 
+             data = malloc(c->nChars * itemSize);
+             if (!data) {
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+@@ -1452,6 +1455,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+             if (!pGC) {
+                 free(c->data);
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+@@ -1464,6 +1468,7 @@ doImageText(ClientPtr client, ITclosurePtr c)
+                 FreeScratchGC(pGC);
+                 free(c->data);
+                 free(c);
++                c = old_closure;
+                 err = BadAlloc;
+                 goto bail;
+             }
+-- 
+1.7.9.2
+
diff --git a/xorg-x11-server.changes b/xorg-x11-server.changes
index b13498e..6925d99 100644
--- a/xorg-x11-server.changes
+++ b/xorg-x11-server.changes
@@ -1,3 +1,12 @@
+-------------------------------------------------------------------
+Tue Oct 15 13:07:50 UTC 2013 - sndirsch@suse.com
+
+- u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch
+  * Fixes a security issue, in which an authenticated X client
+   can cause an X server to use memory after it was freed, 
+   potentially leading to crash and/or memory corruption.
+   (CVE-2013-4396, bnc#843652)
+
 -------------------------------------------------------------------
 Fri Sep 13 23:39:28 UTC 2013 - tobias.johannes.klausmann@mni.thm.de
 
diff --git a/xorg-x11-server.spec b/xorg-x11-server.spec
index 8b936bf..9711883 100644
--- a/xorg-x11-server.spec
+++ b/xorg-x11-server.spec
@@ -156,6 +156,7 @@ Patch229:       u_disable-acpi-code.patch
 Patch230:       u_xserver_xvfb-randr.patch
 
 Patch240:       U_revert_dri2_realloc_dri2_drawable_if-pixmap_serial_changes.patch
+Patch241:       u_Avoid-use-after-free-in-dix-dixfonts.c-doImageText.patch
 
 %description
 This package contains the X.Org Server.
@@ -241,6 +242,7 @@ cp %{SOURCE96} .
 %patch230 -p1
 
 %patch240 -p1
+%patch241 -p1
 
 %build
 autoreconf -fi