1 files changed, 0 insertions, 73 deletions

diff --git a/gnu/packages/patches/libxrender-CVE-2016-7950.patch b/gnu/packages/patches/libxrender-CVE-2016-7950.patch
deleted file mode 100644
index 1a64b6e724..0000000000
--- a/gnu/packages/patches/libxrender-CVE-2016-7950.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-Fix CVE-2016-7950:
-
-https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7950
-
-Patch copied from upstream source repository:
-
-https://cgit.freedesktop.org/xorg/lib/libXrender/commit/?id=8fad00b0b647ee662ce4737ca15be033b7a21714
-
-From 8fad00b0b647ee662ce4737ca15be033b7a21714 Mon Sep 17 00:00:00 2001
-From: Tobias Stoeckmann <tobias@stoeckmann.org>
-Date: Sun, 25 Sep 2016 21:42:09 +0200
-Subject: [PATCH] Avoid OOB write in XRenderQueryFilters
-
-The memory for filter names is reserved right after receiving the reply.
-After that, filters are iterated and each individual filter name is
-stored in that reserved memory.
-
-The individual name lengths are not checked for validity, which means
-that a malicious server can reserve less memory than it will write to
-during each iteration.
-
-v2: consume remaining bytes in reply buffer on error.
-
-Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/Filter.c | 13 ++++++++++++-
- 1 file changed, 12 insertions(+), 1 deletion(-)
-
-diff --git a/src/Filter.c b/src/Filter.c
-index edfa572..8d701eb 100644
---- a/src/Filter.c
-+++ b/src/Filter.c
-@@ -38,7 +38,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-     char			*name;
-     char			len;
-     int				i;
--    unsigned long		nbytes, nbytesAlias, nbytesName;
-+    unsigned long		nbytes, nbytesAlias, nbytesName, reply_left;
- 
-     if (!RenderHasExtension (info))
- 	return NULL;
-@@ -114,6 +114,7 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-      * Read the filter aliases
-      */
-     _XRead16Pad (dpy, filters->alias, 2 * rep.numAliases);
-+    reply_left = 8 + rep.length - 2 * rep.numAliases;;
- 
-     /*
-      * Read the filter names
-@@ -122,9 +123,19 @@ XRenderQueryFilters (Display *dpy, Drawable drawable)
-     {
- 	int	l;
- 	_XRead (dpy, &len, 1);
-+	reply_left--;
- 	l = len & 0xff;
-+	if ((unsigned long)l + 1 > nbytesName) {
-+            _XEatDataWords(dpy, reply_left);
-+	    Xfree(filters);
-+	    UnlockDisplay (dpy);
-+	    SyncHandle ();
-+	    return NULL;
-+	}
-+	nbytesName -= l + 1;
- 	filters->filter[i] = name;
- 	_XRead (dpy, name, l);
-+        reply_left -= l;
- 	name[l] = '\0';
- 	name += l + 1;
-     }
--- 
-2.10.1
-