diff options
Diffstat (limited to 'libre/xorg-server-libre/CVE-2013-6424.diff')
-rw-r--r-- | libre/xorg-server-libre/CVE-2013-6424.diff | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/libre/xorg-server-libre/CVE-2013-6424.diff b/libre/xorg-server-libre/CVE-2013-6424.diff new file mode 100644 index 000000000..8c664b66e --- /dev/null +++ b/libre/xorg-server-libre/CVE-2013-6424.diff @@ -0,0 +1,49 @@ +From patchwork Wed Oct 2 13:47:54 2013 +Content-Type: text/plain; charset="utf-8" +MIME-Version: 1.0 +Content-Transfer-Encoding: 7bit +Subject: exa: only draw valid trapezoids +From: Maarten Lankhorst <maarten.lankhorst@canonical.com> +X-Patchwork-Id: 14769 +Message-Id: <524C240A.9010607@canonical.com> +To: "X.Org Devel List" <xorg-devel@lists.freedesktop.org> +Date: Wed, 02 Oct 2013 15:47:54 +0200 + +Fixes freedesktop.org bug https://bugs.freedesktop.org/show_bug.cgi?id=67484 + +If t->bottom is close to MIN_INT, removing top can wraparound, so do the check properly. +A similar fix should also be applied to pixman. + +Signed-off-by: Maarten Lankhorst <maarten.lankhorst@canonical.com> + +--- + + +diff --git a/exa/exa_render.c b/exa/exa_render.c +index 172e2b5..807eeba 100644 +--- a/exa/exa_render.c ++++ b/exa/exa_render.c +@@ -1141,7 +1141,8 @@ exaTrapezoids(CARD8 op, PicturePtr pSrc, PicturePtr pDst, + + exaPrepareAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + for (; ntrap; ntrap--, traps++) +- (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); ++ if (xTrapezoidValid(traps)) ++ (*ps->RasterizeTrapezoid) (pPicture, traps, -bounds.x1, -bounds.y1); + exaFinishAccess(pPicture->pDrawable, EXA_PREPARE_DEST); + + xRel = bounds.x1 + xSrc - xDst; +diff --git a/render/picture.h b/render/picture.h +index c85353a..fcd6401 100644 +--- a/render/picture.h ++++ b/render/picture.h +@@ -211,7 +211,7 @@ typedef pixman_fixed_t xFixed; + /* whether 't' is a well defined not obviously empty trapezoid */ + #define xTrapezoidValid(t) ((t)->left.p1.y != (t)->left.p2.y && \ + (t)->right.p1.y != (t)->right.p2.y && \ +- (int) ((t)->bottom - (t)->top) > 0) ++ ((t)->bottom > (t)->top)) + + /* + * Standard NTSC luminance conversions: + |