Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[xsrc/trunk]: xsrc/external/mit Backport the only patch from xorg-server 1.20...

details:   https://anonhg.NetBSD.org/xsrc/rev/507add92398d
branches:  trunk
changeset: 10522:507add92398d
user:      maya <maya%NetBSD.org@localhost>
date:      Fri Jul 31 19:35:22 2020 +0000

description:
Backport the only patch from xorg-server 1.20.9 as I can't find a tarball.

>From aac28e162e5108510065ad4c323affd6deffd816 Mon Sep 17 00:00:00 2001
From: Matthieu Herrb <matthieu%herrb.eu@localhost>
Date: Sat, 25 Jul 2020 19:33:50 +0200
Subject: [PATCH] fix for ZDI-11426

Avoid leaking un-initalized memory to clients by zeroing the
whole pixmap on initial allocation.

This vulnerability was discovered by:
Jan-Niklas Sohn working with Trend Micro Zero Day Initiative

Signed-off-by: Matthieu Herrb <matthieu%herrb.eu@localhost>
Reviewed-by: Alan Coopersmith <alan.coopersmith%oracle.com@localhost>

diffstat:

 external/mit/xorg-server.old/dist/dix/pixmap.c |  2 +-
 external/mit/xorg-server/dist/dix/pixmap.c     |  2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diffs (24 lines):

diff -r c67a54a3d80d -r 507add92398d external/mit/xorg-server.old/dist/dix/pixmap.c
--- a/external/mit/xorg-server.old/dist/dix/pixmap.c    Fri Jul 31 19:29:52 2020 +0000
+++ b/external/mit/xorg-server.old/dist/dix/pixmap.c    Fri Jul 31 19:35:22 2020 +0000
@@ -120,7 +120,7 @@
     if (pScreen->totalPixmapSize > ((size_t)-1) - pixDataSize)
        return NullPixmap;
     
-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
     if (!pPixmap)
        return NullPixmap;
 
diff -r c67a54a3d80d -r 507add92398d external/mit/xorg-server/dist/dix/pixmap.c
--- a/external/mit/xorg-server/dist/dix/pixmap.c        Fri Jul 31 19:29:52 2020 +0000
+++ b/external/mit/xorg-server/dist/dix/pixmap.c        Fri Jul 31 19:35:22 2020 +0000
@@ -117,7 +117,7 @@
     if (pScreen->totalPixmapSize > ((size_t) - 1) - pixDataSize)
         return NullPixmap;
 
-    pPixmap = malloc(pScreen->totalPixmapSize + pixDataSize);
+    pPixmap = calloc(1, pScreen->totalPixmapSize + pixDataSize);
     if (!pPixmap)
         return NullPixmap;
Home | Main Index | Thread Index | Old Index