summary refs log tree commit diff
path: root/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2017-03-19 18:52:01 -0400
committerMark H Weaver <mhw@netris.org>2017-03-19 18:52:12 -0400
commitf67337e23ec16b1e05fcdcc7953f68f13ed6770a (patch)
tree766e98a6c4695228f0a066accf91f639791dad68 /gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
parentb99eec83b861f6bee7afb7bd6ffcbdddd8f62b65 (diff)
parente05fc441cd5528ba6c83b6371c27c1e87dd393e9 (diff)
downloadguix-f67337e23ec16b1e05fcdcc7953f68f13ed6770a.tar.gz
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches/virglrenderer-CVE-2017-6386.patch')
-rw-r--r--gnu/packages/patches/virglrenderer-CVE-2017-6386.patch54
1 files changed, 54 insertions, 0 deletions
diff --git a/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
new file mode 100644
index 0000000000..bd3bf106bf
--- /dev/null
+++ b/gnu/packages/patches/virglrenderer-CVE-2017-6386.patch
@@ -0,0 +1,54 @@
+Fix CVE-2017-6386 (memory leak introduced by fix for CVE-2017-5994).
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5994
+
+Patch copied from upstream source repository:
+
+https://cgit.freedesktop.org/virglrenderer/commit/?id=737c3350850ca4dbc5633b3bdb4118176ce59920
+
+From 737c3350850ca4dbc5633b3bdb4118176ce59920 Mon Sep 17 00:00:00 2001
+From: Dave Airlie <airlied@redhat.com>
+Date: Tue, 28 Feb 2017 14:52:09 +1000
+Subject: renderer: fix memory leak in vertex elements state create
+
+Reported-by: Li Qiang
+Free the vertex array in error path.
+This was introduced by this commit:
+renderer: fix heap overflow in vertex elements state create.
+
+I rewrote the code to not require the allocation in the first
+place if we have an error, seems nicer.
+
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+
+diff --git a/src/vrend_renderer.c b/src/vrend_renderer.c
+index 1bca7ad..e5d9f5c 100644
+--- a/src/vrend_renderer.c
++++ b/src/vrend_renderer.c
+@@ -1648,18 +1648,19 @@ int vrend_create_vertex_elements_state(struct vrend_context *ctx,
+                                        unsigned num_elements,
+                                        const struct pipe_vertex_element *elements)
+ {
+-   struct vrend_vertex_element_array *v = CALLOC_STRUCT(vrend_vertex_element_array);
++   struct vrend_vertex_element_array *v;
+    const struct util_format_description *desc;
+    GLenum type;
+    int i;
+    uint32_t ret_handle;
+ 
+-   if (!v)
+-      return ENOMEM;
+-
+    if (num_elements > PIPE_MAX_ATTRIBS)
+       return EINVAL;
+ 
++   v = CALLOC_STRUCT(vrend_vertex_element_array);
++   if (!v)
++      return ENOMEM;
++
+    v->count = num_elements;
+    for (i = 0; i < num_elements; i++) {
+       memcpy(&v->elements[i].base, &elements[i], sizeof(struct pipe_vertex_element));
+-- 
+cgit v0.10.2
+