main/libxrender: security fix (CVE-2016-7949, CVE-2016-7950)

Fixes #6293

(cherry picked from commit 28cfd0e5313c4075e486c29630eb0a7684c551c5)

3 files changed, 143 insertions, 5 deletions

diff --git a/main/libxrender/APKBUILD b/main/libxrender/APKBUILD
index b3591f0d26..002e8c2f20 100644
--- a/main/libxrender/APKBUILD
+++ b/main/libxrender/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libxrender
 pkgver=0.9.8
-pkgrel=0
+pkgrel=1
 pkgdesc="X Rendering Extension client library"
 url="http://xorg.freedesktop.org/"
 arch="all"
@@ -10,10 +10,25 @@ subpackages="$pkgname-dev"
 depends=
 depends_dev="xproto renderproto libx11-dev"
 makedepends="$depends_dev"
-source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2"
+source="http://xorg.freedesktop.org/releases/individual/lib/libXrender-$pkgver.tar.bz2
+	CVE-2016-7949.patch
+	CVE-2016-7950.patch
+	"
 
+# secfix:
+#   0.9.8-r1:
+#   - CVE-2016-7949
+#   - CVE-2016-7950
 
 _builddir="$srcdir"/libXrender-$pkgver
+prepare() {
+	cd "$_builddir"
+	for i in $source; do
+		case $i in
+		*.patch) msg $i; patch -p1 -i "$srcdir"/$i || return 1;;
+		esac
+	done
+}
 
 build() { 
 	cd "$_builddir"
@@ -30,6 +45,12 @@ package() {
 	make DESTDIR="$pkgdir" install || return 1
 	rm "$pkgdir"/usr/lib/*.la || return 1
 }
-md5sums="2bd9a15fcf64d216e63b8d129e4f1f1c  libXrender-0.9.8.tar.bz2"
-sha256sums="1d14b02f0060aec5d90dfdcf16a996f17002e515292906ed26e3dcbba0f4fc62  libXrender-0.9.8.tar.bz2"
-sha512sums="111a0ec4e19932a50da4914d9112b0a16c1d9c800e2b8398ddaf9ed70dae1a4eb75860282ca62d023e78957bbc3f015cb80d91ba76a24595df9f8a2b7e055b58  libXrender-0.9.8.tar.bz2"
+md5sums="2bd9a15fcf64d216e63b8d129e4f1f1c  libXrender-0.9.8.tar.bz2
+b56b7ae39fe72a275bc7d099cc4f4747  CVE-2016-7949.patch
+8b617baf500dabd468acbdcb927f62ee  CVE-2016-7950.patch"
+sha256sums="1d14b02f0060aec5d90dfdcf16a996f17002e515292906ed26e3dcbba0f4fc62  libXrender-0.9.8.tar.bz2
+c11355d17b5107c57b9bcf1102af0b16dcac1732c452852d158acb156ff0f166  CVE-2016-7949.patch
+121a68f14e8cdd5ceb7953ea89e7b0f210752f9c37a85149c38fa8e97fa3f54f  CVE-2016-7950.patch"
+sha512sums="111a0ec4e19932a50da4914d9112b0a16c1d9c800e2b8398ddaf9ed70dae1a4eb75860282ca62d023e78957bbc3f015cb80d91ba76a24595df9f8a2b7e055b58  libXrender-0.9.8.tar.bz2
+13cac3bdfe8a427b275ebae43624f96fb750b726d01f52f5400b29169ec00d512d114a2f9a0a4050ab96663444670f80fbe2143d0628c529419071363843463e  CVE-2016-7949.patch
+26df80fafc75369d942659a3c04919bf8d8d8547fff4b60149186c2ff4a375e58654f6d22089614832fce8a5f86c16a966394defa17aaea9a83967bedf7e33e4  CVE-2016-7950.patch"
diff --git a/main/libxrender/CVE-2016-7949.patch b/main/libxrender/CVE-2016-7949.patch
new file mode 100644
index 0000000000..60ee0674a3
--- /dev/null
+++ b/main/libxrender/CVE-2016-7949.patch
@@ -0,0 +1,55 @@
+From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:43:09 +0200
+Subject: Validate lengths while parsing server data.
+
+Individual lengths inside received server data can overflow
+the previously reserved memory.
+
+It is therefore important to validate every single length
+field to not overflow the previously agreed sum of all invidual
+length fields.
+
+v2: consume remaining bytes in the reply buffer on error.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb@laas.fr
+
+diff --git a/src/Xrender.c b/src/Xrender.c
+index 3102eb2..71cf3e6 100644
+--- a/src/Xrender.c
++++ b/src/Xrender.c
+@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
+ 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
+ 	screen->subpixel = SubPixelUnknown;
+ 	xDepth = (xPictDepth *) (xScreen + 1);
++	if (screen->ndepths > rep.numDepths) {
++	    Xfree (xri);
++	    Xfree (xData);
++	    _XEatDataWords (dpy, rep.length);
++	    UnlockDisplay (dpy);
++	    SyncHandle ();
++	    return 0;
++	}
++	rep.numDepths -= screen->ndepths;
+ 	for (nd = 0; nd < screen->ndepths; nd++)
+ 	{
+ 	    depth->depth = xDepth->depth;
+ 	    depth->nvisuals = xDepth->nPictVisuals;
+ 	    depth->visuals = visual;
+ 	    xVisual = (xPictVisual *) (xDepth + 1);
++	    if (depth->nvisuals > rep.numVisuals) {
++		Xfree (xri);
++		Xfree (xData);
++		_XEatDataWords (dpy, rep.length);
++		UnlockDisplay (dpy);
++		SyncHandle ();
++		return 0;
++	    }
++	    rep.numVisuals -= depth->nvisuals;
+ 	    for (nv = 0; nv < depth->nvisuals; nv++)
+ 	    {
+ 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
+-- 
+cgit v0.10.2
+
diff --git a/main/libxrender/CVE-2016-7950.patch b/main/libxrender/CVE-2016-7950.patch
new file mode 100644
index 0000000000..a11f88e8ae
--- /dev/null
+++ b/main/libxrender/CVE-2016-7950.patch
@@ -0,0 +1,62 @@
+From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
+From: Tobias Stoeckmann <tobias@stoeckmann.org>
+Date: Sun, 25 Sep 2016 21:42:09 +0200
+Subject: Avoid OOB write in XRenderQueryFilters
+
+The memory for filter names is reserved right after receiving the reply.
+After that, filters are iterated and each individual filter name is
+stored in that reserved memory.
+
+The individual name lengths are not checked for validity, which means
+that a malicious server can reserve less memory than it will write to
+during each iteration.
+
+v2: consume remaining bytes in reply buffer on error.
+
+Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+
+diff --git a/src/Filter.c b/src/Filter.c
+index edfa572..8d701eb 100644
+--- a/src/Filter.c
++++ b/src/Filter.c
+@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+     char			*name;
+     char			len;
+     int				i;
+-    unsigned long		nbytes, nbytesAlias, nbytesName;
++    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
+ 
+     if (!RenderHasExtension (info))
+ 	return NULL;
+@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+      * Read the filter aliases
+      */
+     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
++    reply_left = 8 + rep.length - 2 * rep.numAliases;;
+ 
+     /*
+      * Read the filter names
+@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
+     {
+ 	int	l;
+ 	_XRead (dpy, &len, 1);
++	reply_left--;
+ 	l = len & 0xff;
++	if ((unsigned long)l + 1 > nbytesName) {
++            _XEatDataWords(dpy, reply_left);
++	    Xfree(filters);
++	    UnlockDisplay (dpy);
++	    SyncHandle ();
++	    return NULL;
++	}
++	nbytesName -= l + 1;
+ 	filters->filter[i] = name;
+ 	_XRead (dpy, name, l);
++        reply_left -= l;
+ 	name[l] = '\0';
+ 	name += l + 1;
+     }
+-- 
+cgit v0.10.2
+