Bug 103961

Summary: Security - Fix heap overflow with X cursor files
Product: Wayland Reporter: Tobias Stoeckmann <tobias>
Component: waylandAssignee: Wayland bug list <wayland-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments: wayland-xcursor.patch

Description Tobias Stoeckmann 2017-11-28 20:41:52 UTC 
Created attachment 135783 [details] [review]
wayland-xcursor.patch

Fix heap overflows when parsing malicious files.

It is possible to trigger heap overflows due to an integer overflow
while parsing images.

The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.

This patch is ported from libXcursor:
https://cgit.freedesktop.org/xorg/lib/libXcursor/patch/?id=4794b5dd34688158fb51a2943032569d3780c4b8
Comment 1 Olivier Fourdan 2017-11-29 07:46:46 UTC 
Thanks for the patch.

Can you post it to the xorg-devel mailing list where it can be reviewed (see https://www.x.org/wiki/Development/Documentation/SubmittingPatches/), copying wayland-devel mailing list as well (for Xwayland it's always good to copy both) ?

Also, for security issues (although I don't think this qualifies here, at worst you'd get a DOS) it's better to send an email to the X.Org security team at xorg-security@lists.x.org (see https://www.x.org/wiki/Development/Security/)
Comment 2 Olivier Fourdan 2017-11-29 07:48:36 UTC 
Oh, sorry, my bad, this is for libwayland, please ignore my last post...
Comment 3 Olivier Fourdan 2017-11-29 07:49:45 UTC 
Well, the part about sending the patch to the wayland-devel mailing list would still help with the review :)
Comment 4 Pekka Paalanen 2017-11-29 08:00:38 UTC 
The patch looks good to me, and while we usually do reviews on the mailing list indeed, I decided to take this and push it, since the change is trivial and looks good to me.

   2420056..5d201df  master -> master

I'll see about stable branches a bit later, so let's not close this bug quite yet.
Comment 5 Pekka Paalanen 2017-11-29 09:41:56 UTC 
https://lists.freedesktop.org/archives/wayland-devel/2017-November/035979.html
should let the fix trickle into distributions before we get to making a new release.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.