1 files changed, 29 insertions, 0 deletions

diff --git a/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch b/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch
new file mode 100644
index 000000000000..4b6a6aeab29e
--- /dev/null
+++ b/x11-base/xorg-server/files/xorg-server-1.12-cve-2015-3418.patch
@@ -0,0 +1,29 @@
+From dc777c346d5d452a53b13b917c45f6a1bad2f20b Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Sat, 3 Jan 2015 08:46:45 -0800
+Subject: dix: Allow zero-height PutImage requests
+
+The length checking code validates PutImage height and byte width by
+making sure that byte-width >= INT32_MAX / height. If height is zero,
+this generates a divide by zero exception. Allow zero height requests
+explicitly, bypassing the INT32_MAX check.
+
+Signed-off-by: Keith Packard <keithp@keithp.com>
+Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+diff --git a/dix/dispatch.c b/dix/dispatch.c
+index 55b978d..9044ac7 100644
+--- a/dix/dispatch.c
++++ b/dix/dispatch.c
+@@ -2000,7 +2000,7 @@ ProcPutImage(ClientPtr client)
+     tmpImage = (char *) &stuff[1];
+     lengthProto = length;
+ 
+-    if (lengthProto >= (INT32_MAX / stuff->height))
++    if (stuff->height != 0 && lengthProto >= (INT32_MAX / stuff->height))
+         return BadLength;
+ 
+     if ((bytes_to_int32(lengthProto * stuff->height) +
+-- 
+cgit v0.10.2
+